Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Jul 2014 07:16:31 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, zf-security@...d.com
Subject: Re: Zend Framework CVEs

On Tue, Jul 08, 2014 at 04:52:46PM -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As I understand Zend it's a BSD style license, so Open Source, so
> posting here, CC'ing upstream and Mitre. Can we please get CVE's for:
> 
> http://framework.zend.com/security/advisory/ZF2014-04
> ZF2014-04: Potential SQL injection in the ORDER implementation of
> Zend_Db_Select
> 
> http://framework.zend.com/security/advisory/ZF2014-03
> ZF2014-03: Potential XSS vector in multiple view helpers

These two still need CVE IDs.
 
> http://framework.zend.com/security/advisory/ZF2014-02
> ZF2014-02: Potential security issue in login mechanism of ZendOpenId
> and Zend_OpenId consumer

That's CVE-2014-2684 and CVE-2014-2685
 
> http://framework.zend.com/security/advisory/ZF2014-01
> ZF2014-01: Potential XXE/XEE attacks using PHP functions:
> simplexml_load_*, DOMDocument::loadXML, and xml_parse

That's CVE-2014-2681, CVE-2014-2682 and CVE-2014-2683

Cheers,
        Moritz

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ