Date: Mon, 31 Mar 2014 23:33:23 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE requests: Zend Framework issues fixed in ZF2014-01 and ZF2014-02 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This is somewhat complex in the sense that all of the issues are within the scope of CVE but the disclosures only marginally have enough information to determine the correct number of CVE IDs. We did not want to combine independent discoveries into the same CVE ID. http://framework.zend.com/security/advisory/ZF2014-01 CVE-2014-2681 - This CVE is for the lack of protection against XML External Entity injection attacks in some functions, because of the incomplete fix in CVE-2012-5657. It appears that this only affects Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. CVE-2014-2682 - This CVE is for the failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. Again, the existence of this CVE means that the CVE-2012-5657 fix was incomplete. It appears that this affects more than just Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. CVE-2014-2683 - This CVE is for the lack of protection against XML Entity Expansion attacks in some functions, because of the incomplete fix in CVE-2012-6532. It appears that this also affects more than just Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. http://framework.zend.com/security/advisory/ZF2014-02 CVE-2014-2684 - This CVE is for the error in the consumer's verify method that leads to acceptance of wrongly sourced tokens. The same CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the code is not identical. CVE-2014-2685 - This CVE is for the specification violation in which signing of a single parameter is incorrectly considered sufficient. Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTOjKAAAoJEKllVAevmvmsQTwH/jHloIXxpsbVGuNkGo7PyECc jGOQJH24syG+P7camYEpTrLM2mz8OHALjaWlR1ySUI+pDhDWCqVy1JaxEFTjan+E bFMPASXQIEqptEe25fERTaELcmyN7mhhCFKYejuInORd2fawL0OO4HuDiP8vjxyb oKSCx4o/Le2A6L3q05VWVYvHFsZHSPTBQ1RwLmhiPPBk69b0BC0VP8rchgqU3IlK g67b0x6v1x9WnNFa3Nr5eFtdYsuRS/8XYS6hbE5wX9cdZ04InO+fqX3EsXmygamI X+tvKlm4u+CvJtNtTFOVPc7jJ4yLYD/x2ZZ7X+3a0dG+oJ+Z/C32wuOnxrKA0KQ= =LGQc -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ