Latest release

Zend Framework 2.4.11

@weierophinney weierophinney released this Dec 20, 2016 · 138 commits to master since this release

SECURITY UPDATES

  • ZF2016-04: zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of From addresses containing escape sequences were present. This release adds additional validation and filtering of these addresses to prevent the vulnerability.

Downloads

Zend Framework 3.0.0

@weierophinney weierophinney released this Jun 28, 2016 · 2 commits to master since this release

  • Read the migration documentation.
  • Read the recommended quick start
  • Marks the package as a Composer metapackage; this means the package itself
    will not be installed, only the requirements it defines.
  • Updates the minimum supported PHP version to 5.6.
  • Updates all components to latest versions, including v3 releases where
    present. Also adds the following components:
    • zend-mvc-console
    • zend-mvc-plugins
    • zend-mvc-form
    • zend-mvc-i18n
    • zend-json-server
    • zend-xml2json
    • zend-diactoros
    • zend-stratigility
    • zend-psr7bridge
    • zend-hydrator
    • zend-servicemanager-di
  • Removes all bin/* scripts.

Downloads

Zend Framework 2.4.10

@weierophinney weierophinney released this May 9, 2016 · 138 commits to master since this release

  • Fix HeaderValue throwing an exception on legal characters

Downloads

Zend Framework 2.5.3

@weierophinney weierophinney released this Jan 27, 2016 · 29 commits to master since this release

  • #7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

Downloads

Zend Framework 2.4.9

@weierophinney weierophinney released this Nov 23, 2015 · 138 commits to master since this release

SECURITY UPDATES

  • ZF2015-09: Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.

  • ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

    Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

    $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);

    where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

    (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

Downloads

Zend Framework 2.4.8

@weierophinney weierophinney released this Sep 15, 2015 · 138 commits to master since this release

Downloads

Zend Framework 2.5.2

@weierophinney weierophinney released this Aug 3, 2015 · 32 commits to master since this release

SECURITY UPDATES

  • ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

    If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Downloads

Zend Framework 2.4.6

@weierophinney weierophinney released this Aug 3, 2015 · 138 commits to master since this release

SECURITY UPDATES

  • ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

    If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Downloads