[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE Request -- php-ZendFramework: XSS vectors in multiple Zend Framework componen
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2012-09-26 17:38:59
Message-ID: 50633DB3.6030305 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/26/2012 09:51 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> upstream ZendFramework 2.0.1 version corrected one occurrence of
> cross-site scripting (XSS) flaw across multiple components
> (improper escaping of HTML, HTML attributes and / or URLs): [1]
> http://framework.zend.com/blog/zend-framework-2-0-1-released.html
> [2] http://framework.zend.com/security/advisory/ZF2012-03 [3]
> https://bugzilla.redhat.com/show_bug.cgi?id=860738 [4]
> https://bugs.gentoo.org/show_bug.cgi?id=436210
>
> Relevant upstream patch: [5]
> https://github.com/zendframework/zf2/commit/27131ca9520bdf1d4c774c71459eba32f2b10733
>
> Could you allocate a CVE id for this?
>
> Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat
> Security Response Team
>
> P.S.: While the aforementioned upstream [5] patch is against the
> 2.0.1 branch, after backport it would be applicable also against
> ZendFramework 1 versions (relevant routines across the affected
> components - at least those I checked have same definition).
>
Please use CVE-2012-4451 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQYz2zAAoJEBYNRVNeJnmT+jQP/jvFyH4K7Tud+syxmJ/CAuYC
zujMIaneourkv65ejnWxfxsldXgrmL3DSmcZHY8nJNV8JcQZ+C2L4pH79pR1DnA/
OZIXm5AHEeOAZnwWGo7QhwOOZs8vIG9MEdwkIXZpsGdEtjQjt6EbFw/j0NAfEDFw
q8yNYKH1KdiRGfhwAQhg9mMAHyrtnDMbTb4TJoc3KCLjgh7N4H608pWufZdbTHe5
HjRPwlGC+3A4IP6F5VQrlXiwlu3woP3w8nmCOEM+xVGLwWYRg+umPigzGpEU6ciq
YDF63SKwBOYPI3KQz9qN2lkcxkk0/Ddh0ucNDrOPSNlhUDWmlWTEIwdIO9jGHL2M
DFP9TOL+G+R9wfXEE5SYGcR3QZSeAS+0q2IZ5N+ZEn0nWvXcUfVTJuSNzILLbouf
5bIroTUW4kw73cQDKUNDiZOStawjq30/jZDvTnp2j8UoVM0CPKFLT2DnrLEqqBgK
EDXCGIwt3w+yK7xEClWw/VP0VqOeEJQ+hbAairCOeBxVI5fHqNARwuxnLupH412x
aBbw5s4RvmYCa7Nt+QtDyj4Ev+IvwXPe0rkJqqupKQwjDJBHeiP7ASvIaAqQAz6j
IihObckVBVLO7+X4pGLloKjKXS6qoY2g/JTExXj7mVv0PHkEsKtpoCFg7bg1Xfvf
1vpkdKGoDgwgTHDgsAtH
=McJy
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic