Date: Fri, 10 Oct 2014 02:33:40 -0400 (EDT) From: cve-assign@...re.org To: mmcallis@...hat.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: Zend Framework ZF2014-05 and ZF2014-06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://framework.zend.com/security/advisory/ZF2014-05 Use CVE-2014-8088 (for the issue in both Zend Framework 1.x and Zend Framework 2.x). > http://framework.zend.com/security/advisory/ZF2014-06 Use CVE-2014-8089 (for the issue in both Zend Framework 1.x and Zend Framework 2.x). > (For the ZF2014-05 advisory, the discussion in > http://www.openwall.com/lists/oss-security/2014/06/09/2 may be helpful > if needed.) Our understanding is that ZF2014-05 is not closely related to the http://www.openwall.com/lists/oss-security/2014/06/09/2 topic. That June post is about incorrect use of the "empty" PHP library function, an implementation error that (as far as we know) occurred only in Horde. ZF2014-05 is about \0 characters, an implementation error that occurred in Zend Framework and also in, for example, MantisBT (see the http://openwall.com/lists/oss-security/2014/09/12/14 post). - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJUN3z9AAoJEKllVAevmvmsfhQIAMiuq6nl6+Xcr+o4xN3wL4Qi fM9K5qyEAcIlrW8Q3F7Ec49wHkEsiCxD/cu3QRyyiY8R1kvm9rYt4paCyThSh+qU 2VRNnJdwMsZ8aXfJQVOE1fZvCmzay4vIlQdarTGhG7DhqEIaNehx+3QoueJEJ9qR 5AWEybnQdo5pTS9rqowTja2jy/9/QlAETk5Q7ASlcWGQx+JHVsNjtWn6N8rhb0eq 4iQfCDzijH2MfaeX/ydNl0CULmuWIzvYvsJ1kx3V3PH1fZZzF/PQLU1meDVqCg+z p3xAP6+uwyOUZEdRQKsP+a0XkcTfd0sa5QaTkoGJIIjgUvywsR1bsC5/NUxa94Q= =PYAP -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ