ZF2016-11: Potential Insufficient Entropy

April 13, 2016

There are several methods used to generate random numbers in ZF1 that potentially used insufficient entropy. Moreover, there’s a potential security issue in the usage of the openssl_random_pseudo_bytes() function in Zend_Crypt_Math::randBytes, reported in PHP BUG #70014, and the security implications reported in a discussion on the random_compat library.

References

framework.zend.com/security/advisory/ZF2016-01
bugs.php.net/bug.php?id=70014
github.com/paragonie/random_compat/issues/96

Code Behaviors & Features

Detect and mitigate ZF2016-11 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →