Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20160716143058.3247F6C0D94@smtpvmsrv1.mitre.org>
Date: Sat, 16 Jul 2016 10:30:58 -0400 (EDT)
From: cve-assign@...re.org
To: carnil@...ian.org
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, taffit@...ian.org
Subject: Re: CVE Request: Zend Framework: Potential SQL injection in ORDER and GROUP statements of Zend_Db_Select

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The Zend Framework project released security advisory ZF2016-02 to
> address a potential SQL injection in ORDER and GROUP statements of
> Zend_Db_Select.

> https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967
> https://framework.zend.com/security/advisory/ZF2016-02

>> This security fix can be considered as an improvement of the previous
>> ZF2014-04.

Use CVE-2016-6233.

This vulnerability exists because of an incomplete fix for
CVE-2014-4914. (The CVE ID assignment for ZF2014-04 was in the
http://www.openwall.com/lists/oss-security/2014/07/11/4 post.)

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXikTFAAoJEHb/MwWLVhi2eLUP/2dZUfNgmcqUgI0D7zGFOjAC
AZfk2kVe0S6dvMtcga6G+O+XEib8cgZldvak7uCC0UH3XGuUc9HWPnaVvTX8SBKE
w+CMG7jWqSNNdWOF05m+yh7xlci2I/RV+Tu5Gm6jmLcpMbCnlHoibQsbAiWmGRgJ
KCv1ktT/yMx9LPHPZVOR1MtJUBbv8adJzOkywJYiEYzDf7H61CUNEHi51hR/8mCu
2NcOLAi4rIlWYvHuUiNOtnd8ZKYk56QwLVo7HZ9XaMDlvBf1XDxm8VrAX3kZmLKv
4WHKnk37H7W2XHw4KBksBNsZ/KANFk0wjsvWz3etsiUdm2JNvOKOjyURNraEEa4q
VtwYCNB7CuB9tnuykO1qRm+dI5iGLUja5xRkSXzz/DHbnFpVp/4+kS3JRwWyGk8J
ESzifKuJLNMIwS1/LWKwjP0kIbfpoP7CixtBHIcayJIF8VRAQZJrVBPzHZHXbDnQ
TzeAOTRaXqrxcsY1YhKJVgmN0IdQ8RcIWsrvKnZMY+whBd21/lghOFi2Ony6ycVf
ZvCKSAIWpufGA7y+ZHlDacyp3z1At0FdjU2b1Uqkp6CaX2h7V06nMlJhgMxWvOll
4x32KeSL6YaNIgYMx/PgrMbzqUbZH3442myXFM5BA1AmD3HkDtGNsxcbBbF06ii2
DpO/xTBvwbInmtUy/sWA
=p31W
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.