What's the "NEW ZEND FRAMEWORK 1 SECURITY VULNERABILITY"?

Enterprise Edition != Enterprise Cloud Edition

I assume Cloud Edition customers are either not affected by the exploit because they do not use sendmail or Magento changed the configuration for them:

We’ve already checked your configuration and you are not at risk.

The following holds true for CE 1.x as well as EE 1.x

If you use sendmail, do as suggested by Magento and configure the return path setting to "No". If you don't know if you use sendmail for emails, you probably use it, as it is the default.

Is "specified" secure?

I had a look at the core to see where this setting is used. The relevant code is in Mage_Core_Email_Template:

$setReturnPath = Mage::getStoreConfig(self::XML_PATH_SENDING_SET_RETURN_PATH);
switch ($setReturnPath) {
    case 1:
        $returnPathEmail = $this->getSenderEmail();
        break;
    case 2:
        $returnPathEmail = Mage::getStoreConfig(self::XML_PATH_SENDING_RETURN_PATH_EMAIL);
        break;
    default:
        $returnPathEmail = null;
        break;
}

(1) is "yes", (2) is "specified", and 0 (default) is "no"

The only setting where user input can be used, is "yes". So if you trust your shop admins with access to the system configuration, "specified" is okay too: it takes the address from a constant configured value.

There is one other occurence of the configuration, in Mage_Newsletter_Model_Template:

if (Mage::getStoreConfigFlag(Mage_Core_Model_Email_Template::XML_PATH_SENDING_SET_RETURN_PATH)) {
    $this->getMail()->setReturnPath($this->getTemplateSenderEmail());
}

Here, "specified" is treated the same way as "yes", but the newsletter sender email does not come from untrusted user input, so the same as above applies.

Magento 2.x

Currently, the "return path" setting is not used anywhere in Magento 2.

Here is a bug report: https://github.com/magento/magento2/issues/6146

Luckily, the bug has not been fixed yet, so Magento 2 without extensions is not affected by the exploit.