====================================================== Name: CVE-2012-3363 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3363 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20120614 Category: Reference: MLIST:[oss-security] 20120626 Re: XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/26/4 Reference: MLIST:[oss-security] 20120626 XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/26/2 Reference: MLIST:[oss-security] 20120627 Re: XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/27/2 Reference: MISC:https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt Reference: CONFIRM:http://framework.zend.com/security/advisory/ZF2012-01 Reference: DEBIAN:DSA-2505 Reference: URL:http://www.debian.org/security/2012/dsa-2505 Zend_XmlRpc in Zend Framework 1.x before 1.11.12 and 1.12.x before 1.12.0 does not properly handle SimpleXMLElement classes, which allows remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack. ====================================================== Name: CVE-2012-6531 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6531 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: MLIST:[oss-security] 20120626 Re: XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/26/4 Reference: MLIST:[oss-security] 20120626 XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/26/2 Reference: MLIST:[oss-security] 20120627 Re: XXE in Zend Reference: URL:http://www.openwall.com/lists/oss-security/2012/06/27/2 Reference: MISC:https://www.sec-consult.com/files/20120626-0_zend_framework_xxe_injection.txt Reference: CONFIRM:http://framework.zend.com/security/advisory/ZF2012-01 Reference: DEBIAN:DSA-2505 Reference: URL:http://www.debian.org/security/2012/dsa-2505 (1) Zend_Dom, (2) Zend_Feed, and (3) Zend_Soap in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 do not properly handle SimpleXMLElement classes, which allow remote attackers to read arbitrary files or create TCP connections via an external entity reference in a DOCTYPE element in an XML-RPC request, aka an XML external entity (XXE) injection attack, a different vulnerability than CVE-2012-3363. ====================================================== Name: CVE-2012-6532 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6532 Final-Decision: Interim-Decision: Modified: Proposed: Assigned: 20130213 Category: Reference: CONFIRM:http://framework.zend.com/security/advisory/ZF2012-02 (1) Zend_Dom, (2) Zend_Feed, (3) Zend_Soap, and (4) Zend_XmlRpc in Zend Framework 1.x before 1.11.13 and 1.12.x before 1.12.0 allow remote attackers to cause a denial of service (CPU consumption) via recursive or circular references in an XML entity definition in an XML DOCTYPE declaration, aka an XML Entity Expansion (XEE) attack.
We already have 1.12.1.
Status: NEW => RESOLVEDCC: (none) => luigiwalserResolution: (none) => INVALID