Re: CVE request: Zend Framework ZF2014-05 and ZF2014-06

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://framework.zend.com/security/advisory/ZF2014-05

Use CVE-2014-8088 (for the issue in both Zend Framework 1.x and
Zend Framework 2.x).


> http://framework.zend.com/security/advisory/ZF2014-06

Use CVE-2014-8089 (for the issue in both Zend Framework 1.x and
Zend Framework 2.x).


> (For the ZF2014-05 advisory, the discussion in
> http://www.openwall.com/lists/oss-security/2014/06/09/2 may be helpful
> if needed.)

Our understanding is that ZF2014-05 is not closely related to the
http://www.openwall.com/lists/oss-security/2014/06/09/2 topic. That
June post is about incorrect use of the "empty" PHP library function,
an implementation error that (as far as we know) occurred only in
Horde. ZF2014-05 is about \0 characters, an implementation error that
occurred in Zend Framework and also in, for example, MantisBT (see the
http://openwall.com/lists/oss-security/2014/09/12/14 post).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJUN3z9AAoJEKllVAevmvmsfhQIAMiuq6nl6+Xcr+o4xN3wL4Qi
fM9K5qyEAcIlrW8Q3F7Ec49wHkEsiCxD/cu3QRyyiY8R1kvm9rYt4paCyThSh+qU
2VRNnJdwMsZ8aXfJQVOE1fZvCmzay4vIlQdarTGhG7DhqEIaNehx+3QoueJEJ9qR
5AWEybnQdo5pTS9rqowTja2jy/9/QlAETk5Q7ASlcWGQx+JHVsNjtWn6N8rhb0eq
4iQfCDzijH2MfaeX/ydNl0CULmuWIzvYvsJ1kx3V3PH1fZZzF/PQLU1meDVqCg+z
p3xAP6+uwyOUZEdRQKsP+a0XkcTfd0sa5QaTkoGJIIjgUvywsR1bsC5/NUxa94Q=
=PYAP
-----END PGP SIGNATURE-----