Noted security announcement in CHANGELOG and README

zendframework · Sep 16, 2014 · e7bab70 · e7bab70
1 parent 98b4eff
commit e7bab70
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,20 @@
 # CHANGELOG
 
+## 2.3.3 (2014-09-16)
+
+- [6576: Custom barcode adapter wasn't being set in options](https://github.com/zendframework/zf2/pull/6576)
+- [6664: Use is_file to check for an uploaded file](https://github.com/zendframework/zf2/pull/6664)
+
+### SECURITY UPDATES
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
 ## 2.3.2 (2014-08-11)
 
 - [4747: Zend\Code\Generator\FileGenerator problem](https://github.com/zendframework/zf2/issues/4747)
@@ -460,6 +475,18 @@
 - [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
 - [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)
 
+## 2.2.8 (2014-09-16)
+
+### SECURITY UPDATES
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
 ## 2.2.7 (2014-04-15)
 
 ### SECURITY UPDATES

diff --git a/README.md b/README.md
@@ -17,6 +17,17 @@ DD MMM YYYY
 
 ### UPDATES IN 2.3.3
 
+**This release contains security updates:**
+
+- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
+  possible to perform an unauthenticated simple bind against a LDAP server by
+  using a null byte for the password, regardless of whether or not the user
+  normally requires a password. We have provided a patch in order to protect
+  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
+  versions of PHP 5.3 and below). If you use `Zend\Ldap` and are on an affected
+  version of PHP, we recommend upgrading immediately.
+
+
 Please see [CHANGELOG.md](CHANGELOG.md).
 
 ### SYSTEM REQUIREMENTS