Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 10 Oct 2014 02:33:40 -0400 (EDT)
From: cve-assign@...re.org
To: mmcallis@...hat.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE request: Zend Framework ZF2014-05 and ZF2014-06

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://framework.zend.com/security/advisory/ZF2014-05

Use CVE-2014-8088 (for the issue in both Zend Framework 1.x and
Zend Framework 2.x).


> http://framework.zend.com/security/advisory/ZF2014-06

Use CVE-2014-8089 (for the issue in both Zend Framework 1.x and
Zend Framework 2.x).


> (For the ZF2014-05 advisory, the discussion in
> http://www.openwall.com/lists/oss-security/2014/06/09/2 may be helpful
> if needed.)

Our understanding is that ZF2014-05 is not closely related to the
http://www.openwall.com/lists/oss-security/2014/06/09/2 topic. That
June post is about incorrect use of the "empty" PHP library function,
an implementation error that (as far as we know) occurred only in
Horde. ZF2014-05 is about \0 characters, an implementation error that
occurred in Zend Framework and also in, for example, MantisBT (see the
http://openwall.com/lists/oss-security/2014/09/12/14 post).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUN3z9AAoJEKllVAevmvmsfhQIAMiuq6nl6+Xcr+o4xN3wL4Qi
fM9K5qyEAcIlrW8Q3F7Ec49wHkEsiCxD/cu3QRyyiY8R1kvm9rYt4paCyThSh+qU
2VRNnJdwMsZ8aXfJQVOE1fZvCmzay4vIlQdarTGhG7DhqEIaNehx+3QoueJEJ9qR
5AWEybnQdo5pTS9rqowTja2jy/9/QlAETk5Q7ASlcWGQx+JHVsNjtWn6N8rhb0eq
4iQfCDzijH2MfaeX/ydNl0CULmuWIzvYvsJ1kx3V3PH1fZZzF/PQLU1meDVqCg+z
p3xAP6+uwyOUZEdRQKsP+a0XkcTfd0sa5QaTkoGJIIjgUvywsR1bsC5/NUxa94Q=
=PYAP
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.