Hi, CVE names have been assigned for these issues. The assignment is rather complicated. If you fix both issues in one upload it's ok to just mention that it addresses the 5 CVE's named below.
http://framework.zend.com/security/advisory/ZF2014-01 CVE-2014-2681 - This CVE is for the lack of protection against XML External Entity injection attacks in some functions, because of the incomplete fix in CVE-2012-5657. It appears that this only affects Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. CVE-2014-2682 - This CVE is for the failure to consider that the libxml_disable_entity_loader setting is shared among threads in the PHP-FPM case. Again, the existence of this CVE means that the CVE-2012-5657 fix was incomplete. It appears that this affects more than just Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. CVE-2014-2683 - This CVE is for the lack of protection against XML Entity Expansion attacks in some functions, because of the incomplete fix in CVE-2012-6532. It appears that this also affects more than just Zend Framework 1.x, although that isn't critical to determining the number of CVE IDs. http://framework.zend.com/security/advisory/ZF2014-02 CVE-2014-2684 - This CVE is for the error in the consumer's verify method that leads to acceptance of wrongly sourced tokens. The same CVE is used for Zend Framework 1.x and ZendOpenId 2.x, even though the code is not identical. CVE-2014-2685 - This CVE is for the specification violation in which signing of a single parameter is incorrectly considered sufficient. Again, this CVE is for both Zend Framework 1.x and ZendOpenId 2.x. Cheers, Thijs -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
