[ZF2015-01] Added security blurb to README and CHANGELOG

- Includes 2.2.9 changelog as well
basz · Jan 14, 2015 · 18534b6 · 18534b6
1 parent 037c62b
commit 18534b6
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # CHANGELOG
 
+## 2.3.4 (2015-01-14)
+
+### SECURITY UPDATES
+
+- **ZF2015-01:** Session validators were not run if set before session start.
+  Essentially, the validators were writing to the `$_SESSION` superglobal before
+  session start, which meant the data was overwritten once the session began.
+  This meant on subsequent calls, the validators had no data to compare against,
+  making the sessions automatically valid. We have provided patches to ensure
+  that validators are run only after the session has begun, which will ensure
+  they validate sessions correctly going forward. If you use `Zend\Session`
+  validators, we recommend upgrading immediately.
+
 ## 2.3.3 (2014-09-17)
 
 - [6576: Custom barcode adapter wasn't being set in options](https://github.com/zendframework/zf2/pull/6576)
@@ -481,6 +494,19 @@
 - [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
 - [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)
 
+## 2.2.9 (2015-01-14)
+
+### SECURITY UPDATES
+
+- **ZF2015-01:** Session validators were not run if set before session start.
+  Essentially, the validators were writing to the `$_SESSION` superglobal before
+  session start, which meant the data was overwritten once the session began.
+  This meant on subsequent calls, the validators had no data to compare against,
+  making the sessions automatically valid. We have provided patches to ensure
+  that validators are run only after the session has begun, which will ensure
+  they validate sessions correctly going forward. If you use `Zend\Session`
+  validators, we recommend upgrading immediately.
+
 ## 2.2.8 (2014-09-17)
 
 ### SECURITY UPDATES

diff --git a/README.md b/README.md
@@ -19,6 +19,17 @@ DD MMM YYYY
 
 ### UPDATES IN 2.3.4
 
+This release contains security fixes:
+
+- **ZF2015-01:** Session validators were not run if set before session start.
+  Essentially, the validators were writing to the `$_SESSION` superglobal before
+  session start, which meant the data was overwritten once the session began.
+  This meant on subsequent calls, the validators had no data to compare against,
+  making the sessions automatically valid. We have provided patches to ensure
+  that validators are run only after the session has begun, which will ensure
+  they validate sessions correctly going forward. If you use `Zend\Session`
+  validators, we recommend upgrading immediately.
+
 Please see [CHANGELOG.md](CHANGELOG.md).
 
 ### SYSTEM REQUIREMENTS