It was found that `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()`, which uses PHP's default `$padding` argument, which specifies `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, that can be used to recover an RSA private key.
This is now public: http://framework.zend.com/security/advisory/ZF2015-10
Created php-ZendFramework2 tracking bugs for this issue: Affects: fedora-all [bug 1289317] Affects: epel-all [bug 1289318]
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.