Based on https://github.com/zendframework/zend-form/releases/tag/release-2.1.6 (commit bca1bcf8a706493514254dc24d661f4b168e2a67 in this repo)

====================

- **ZF2014-01:** Potential XXE/XEE attacks using PHP functions:
  `simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`. A new component,
  `laminas-xml`, was introduced to mitigate XML eXternal Entity and XML Entity
  Expansion vectors that are present in older versions of libxml2 and/or PHP.
  `Laminas\Json\Json::fromXml()` and `Laminas\XmlRpc`'s `Response` and `Fault` classes
  were potentially vulnerable to these attacks. If you use either of these
  components, we recommend upgrading immediately.