Welcome to the Zend Framework 2.0 Release!
Zend Framework 2.0.8
This is the eigth maintenance release for the 2.0 series.
13 Mar 2013
UPDATES IN 2.0.8
Security fix: Query route
The query route was deprecated, as a replacement exists within the HTTP router itself. You can pass a "query" option to the assemble method containing either the query string or an array of key-value pairs:
$url = $router->assemble(array( 'name' => 'foo', ), array( 'query' => array( 'page' => 3, 'sort' => 'DESC', ), // or: 'query' => 'page=3&sort=DESC' )); // via URL helper/plugin: $rendererOrController->url('foo', array(), array('query' => $request->getQuery()));
Additionally, the merging of query parameters into the route match was removed to avoid potential security issues. Please use the query container of the request object instead.
For more information on the security vector, please see ZF2013-01.
Security fix: Better RNG support
Zend\Math\Rand component generates random bytes using the OpenSSL
or Mcrypt extensions when available but will otherwise use PHP's
mt_rand() function as a fallback. All outputs from
predictable for the same PHP process if an attacker can brute force
the seed - which can be done if the attacker has access to a random number
mt_rand or the session ID (if generated without using additional
Zend Framework have revised the
Zend\Math\Rand component to replace the
mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's
RandomLib, incorporating an additional
entropy source based on source code published by George
Argyros. The new
fallback collects entropy from numerous sources other than PHP's internal seed
mechanism and extracts random bytes from the resulting mixed entropy pool.
For more information on this security vector, please see ZF2013-02.
Security fix: DB platform quoting
Zend\Db to throw notices when insecure usage of the following methods
Zend\Db Platform objects to use driver level quoting when provided, and
E_USER_NOTICE when not provided. Added
quoteTrustedValue() API for
notice-free value quoting. Fixed all userland quoting in Platform objects to
handle a wider array of escapable characters.
For more information on this security vector, please see ZF2013-03.
Please see CHANGELOG.md.
Zend Framework 2 requires PHP 5.3.3 or later; we recommend using the latest PHP version whenever possible.
Please see INSTALL.md.
If you wish to contribute to Zend Framework 2.0, please read both the CONTRIBUTING.md and README-GIT.md file.
QUESTIONS AND FEEDBACK
Online documentation can be found at http://framework.zend.com/manual. Questions that are not addressed in the manual should be directed to the appropriate mailing list:
If you find code in this release behaving in an unexpected manner or contrary to its documented behavior, please create an issue in our GitHub issue tracker:
If you would like to be notified of new releases, you can subscribe to the fw-announce mailing list by sending a blank message to email@example.com.
The files in this archive are released under the Zend Framework license. You can find a copy of this license in LICENSE.txt.
The Zend Framework team would like to thank all the contributors to the Zend Framework project, our corporate sponsor, and you, the Zend Framework user. Please visit us sometime soon at http://framework.zend.com.