Based on https://github.com/zendframework/zend-form/releases/tag/release-2.2.8 (commit f4a3ac51a6301ed6b68183a835378417d231f78f in this repo)

**This release contains security updates:**

- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
  possible to perform an unauthenticated simple bind against a LDAP server by
  using a null byte for the password, regardless of whether or not the user
  normally requires a password. We have provided a patch in order to protect
  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
  versions of PHP 5.3 and below). If you use `Laminas\Ldap` and are on an affected
  version of PHP, we recommend upgrading immediately.
- **ZF2014-06:** A potential SQL injection vector existed when using a SQL
  Server adapter to manually quote values due to the fact that it was not
  escaping null bytes. Code was added to ensure null bytes are escaped, and
  thus mitigate the SQLi vector. We do not recommend manually quoting values,
  but if you do, and use the SQL Server adapter without PDO, we recommend
  upgrading immediately.