Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 31 Mar 2014 23:33:23 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is somewhat complex in the sense that all of the issues are
within the scope of CVE but the disclosures only marginally have
enough information to determine the correct number of CVE IDs. We did
not want to combine independent discoveries into the same CVE ID.


http://framework.zend.com/security/advisory/ZF2014-01

CVE-2014-2681 - This CVE is for the lack of protection against XML
External Entity injection attacks in some functions, because of the
incomplete fix in CVE-2012-5657. It appears that this only affects
Zend Framework 1.x, although that isn't critical to determining the
number of CVE IDs.

CVE-2014-2682 - This CVE is for the failure to consider that the
libxml_disable_entity_loader setting is shared among threads in the
PHP-FPM case. Again, the existence of this CVE means that the
CVE-2012-5657 fix was incomplete. It appears that this affects more
than just Zend Framework 1.x, although that isn't critical to
determining the number of CVE IDs.

CVE-2014-2683 - This CVE is for the lack of protection against XML
Entity Expansion attacks in some functions, because of the incomplete
fix in CVE-2012-6532. It appears that this also affects more than just
Zend Framework 1.x, although that isn't critical to determining the
number of CVE IDs.


http://framework.zend.com/security/advisory/ZF2014-02

CVE-2014-2684 - This CVE is for the error in the consumer's verify
method that leads to acceptance of wrongly sourced tokens. The same
CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the
code is not identical.

CVE-2014-2685 - This CVE is for the specification violation in which
signing of a single parameter is incorrectly considered sufficient.
Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJTOjKAAAoJEKllVAevmvmsQTwH/jHloIXxpsbVGuNkGo7PyECc
jGOQJH24syG+P7camYEpTrLM2mz8OHALjaWlR1ySUI+pDhDWCqVy1JaxEFTjan+E
bFMPASXQIEqptEe25fERTaELcmyN7mhhCFKYejuInORd2fawL0OO4HuDiP8vjxyb
oKSCx4o/Le2A6L3q05VWVYvHFsZHSPTBQ1RwLmhiPPBk69b0BC0VP8rchgqU3IlK
g67b0x6v1x9WnNFa3Nr5eFtdYsuRS/8XYS6hbE5wX9cdZ04InO+fqX3EsXmygamI
X+tvKlm4u+CvJtNtTFOVPc7jJ4yLYD/x2ZZ7X+3a0dG+oJ+Z/C32wuOnxrKA0KQ=
=LGQc
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.