oss-sec mailing list archives

Re: Zend Framework CVEs

From: Moritz Muehlenhoff <jmm () debian org>
Date: Wed, 9 Jul 2014 07:16:31 +0200

On Tue, Jul 08, 2014 at 04:52:46PM -0600, Kurt Seifried wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

As I understand Zend it's a BSD style license, so Open Source, so
posting here, CC'ing upstream and Mitre. Can we please get CVE's for:

http://framework.zend.com/security/advisory/ZF2014-04
ZF2014-04: Potential SQL injection in the ORDER implementation of
Zend_Db_Select

http://framework.zend.com/security/advisory/ZF2014-03
ZF2014-03: Potential XSS vector in multiple view helpers


These two still need CVE IDs.

http://framework.zend.com/security/advisory/ZF2014-02
ZF2014-02: Potential security issue in login mechanism of ZendOpenId
and Zend_OpenId consumer


That's CVE-2014-2684 and CVE-2014-2685

http://framework.zend.com/security/advisory/ZF2014-01
ZF2014-01: Potential XXE/XEE attacks using PHP functions:
simplexml_load_*, DOMDocument::loadXML, and xml_parse


That's CVE-2014-2681, CVE-2014-2682 and CVE-2014-2683

Cheers,
        Moritz

Current thread:

Zend Framework CVEs Kurt Seifried (Jul 08)
- Re: Zend Framework CVEs Moritz Muehlenhoff (Jul 08)
- Re: Zend Framework CVEs Murray McAllister (Jul 08)
  - Re: Zend Framework CVEs Murray McAllister (Jul 08)
- Re: Zend Framework CVEs cve-assign (Jul 11)