Skip to content
Fetching contributors…
Cannot retrieve contributors at this time
125 lines (86 sloc) 4.3 KB

Welcome to the Zend Framework 2.0 Release!

Master: Build Status Develop: Build Status


Zend Framework 2.0.8

This is the eigth maintenance release for the 2.0 series.

13 Mar 2013


Security fix: Query route

The query route was deprecated, as a replacement exists within the HTTP router itself. You can pass a "query" option to the assemble method containing either the query string or an array of key-value pairs:

$url = $router->assemble(array(
    'name' => 'foo',
), array(
    'query' => array(
        'page' => 3,
        'sort' => 'DESC',
    // or: 'query' => 'page=3&sort=DESC'

// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));

Additionally, the merging of query parameters into the route match was removed to avoid potential security issues. Please use the query container of the request object instead.

For more information on the security vector, please see ZF2013-01.

Security fix: Better RNG support

The Zend\Math\Rand component generates random bytes using the OpenSSL or Mcrypt extensions when available but will otherwise use PHP's mt_rand() function as a fallback. All outputs from mt_rand() are predictable for the same PHP process if an attacker can brute force the seed - which can be done if the attacker has access to a random number generated by mt_rand or the session ID (if generated without using additional entropy).

Zend Framework have revised the Zend\Math\Rand component to replace the current mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's RandomLib, incorporating an additional entropy source based on source code published by George Argyros. The new fallback collects entropy from numerous sources other than PHP's internal seed mechanism and extracts random bytes from the resulting mixed entropy pool.

For more information on this security vector, please see ZF2013-02.

Security fix: DB platform quoting

Altered Zend\Db to throw notices when insecure usage of the following methods is called:

  • Zend\Db\Adapter\Platform\*::quoteValue*()
  • Zend\Db\Sql\*::getSqlString*()

Fixed Zend\Db Platform objects to use driver level quoting when provided, and throw E_USER_NOTICE when not provided. Added quoteTrustedValue() API for notice-free value quoting. Fixed all userland quoting in Platform objects to handle a wider array of escapable characters.

For more information on this security vector, please see ZF2013-03.

Please see


Zend Framework 2 requires PHP 5.3.3 or later; we recommend using the latest PHP version whenever possible.


Please see


If you wish to contribute to Zend Framework 2.0, please read both the and file.


Online documentation can be found at Questions that are not addressed in the manual should be directed to the appropriate mailing list:

If you find code in this release behaving in an unexpected manner or contrary to its documented behavior, please create an issue in our GitHub issue tracker:

If you would like to be notified of new releases, you can subscribe to the fw-announce mailing list by sending a blank message to


The files in this archive are released under the Zend Framework license. You can find a copy of this license in LICENSE.txt.


The Zend Framework team would like to thank all the contributors to the Zend Framework project, our corporate sponsor, and you, the Zend Framework user. Please visit us sometime soon at

Jump to Line
Something went wrong with that request. Please try again.