Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20140709051631.GA22935@inutil.org>
Date: Wed, 9 Jul 2014 07:16:31 +0200
From: Moritz Muehlenhoff <jmm@...ian.org>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, zf-security@...d.com
Subject: Re: Zend Framework CVEs

On Tue, Jul 08, 2014 at 04:52:46PM -0600, Kurt Seifried wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> As I understand Zend it's a BSD style license, so Open Source, so
> posting here, CC'ing upstream and Mitre. Can we please get CVE's for:
> 
> http://framework.zend.com/security/advisory/ZF2014-04
> ZF2014-04: Potential SQL injection in the ORDER implementation of
> Zend_Db_Select
> 
> http://framework.zend.com/security/advisory/ZF2014-03
> ZF2014-03: Potential XSS vector in multiple view helpers

These two still need CVE IDs.
 
> http://framework.zend.com/security/advisory/ZF2014-02
> ZF2014-02: Potential security issue in login mechanism of ZendOpenId
> and Zend_OpenId consumer

That's CVE-2014-2684 and CVE-2014-2685
 
> http://framework.zend.com/security/advisory/ZF2014-01
> ZF2014-01: Potential XXE/XEE attacks using PHP functions:
> simplexml_load_*, DOMDocument::loadXML, and xml_parse

That's CVE-2014-2681, CVE-2014-2682 and CVE-2014-2683

Cheers,
        Moritz

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.