CVE-2012-3363

Name	CVE-2012-3363
Description	Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-2505-1
Debian Bugs	679215, 703870

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
zendframework (PTS)	jessie, jessie (lts)	1.12.9+dfsg-2+deb8u7	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
moodle	source	squeeze	(not affected)
moodle	source	(unstable)	2.5-1		703870
zendframework	source	squeeze	1.10.6-1squeeze1	DSA-2505-1
zendframework	source	(unstable)	1.11.12-1		679215

[squeeze] - moodle <not-affected> (Vulnerable code not present)