Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-566-1 cakephp

Debian Security Advisory

DLA-566-1 cakephp -- LTS security update

Date Reported:

28 Jul 2016

Affected Packages:

cakephp

Vulnerable:

Yes

Security database references:

In the Debian bugtracking system: Bug 832283.

More information:

CakePHP, an open-source web application framework for PHP, was vulnerable to SSRF (Server Side Request Forgery) attacks. Remote attacker can utilize it for at least DoS (Denial of Service) attacks, if the target application accepts XML as an input. It is caused by insecure design of Cake's Xml class.

For Debian 7 Wheezy, these problems have been fixed in version 1.3.15-1+deb7u1.

We recommend that you upgrade your cakephp packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS