Updated README.md

- Outlines the security fixes for RemoteAddr session validator and ServerUrl view helper.
zendframework · Nov 29, 2012 · 4baa1cd · 4baa1cd
1 parent b914ecd
commit 4baa1cd
Showing 1 changed file with 13 additions and 49 deletions.
diff --git a/README.md b/README.md
@@ -5,61 +5,25 @@ Develop: [![Build Status](https://secure.travis-ci.org/zendframework/zf2.png?bra
 
 ## RELEASE INFORMATION
 
-*Zend Framework 2.0.4*
+*Zend Framework 2.0.5*
 
-This is the fourth maintenance release for the 2.0 series.
+This is the fifth maintenance release for the 2.0 series.
 
-20 Nov 2012
+29 Nov 2012
 
-### UPDATES IN 2.0.4
+### UPDATES IN 2.0.5
 
 *Security Changes*
 
-By default, the JsonStrategy and FeedStrategy were selecting their
-associated renderers based on two criteria: if a ViewModel of
-appropriate type was present, *OR* if the Accept header matched certain
-criteria. It was pointed out that this latter is undesirable when the
-strategies are enabled globally, as any matching route could be forced
-to return JSON or a feed -- and potentially expose information not meant
-for that particular format, or raise exceptions due to containing
-content not compatible with the format.
-
-In this release, we removed the Accept header detection. To mitigate
-this, however, a new controller plugin, AcceptableViewModelSelector, was
-added. This plugin may be invoked from a controller, and based on
-criteria passed to it, return an appropriate view model type based on
-matching the Accept header. As an example:
-
-```php
-class SomeController extends AbstractActionController
-{
-    protected $acceptCriteria = array(
-        'Zend\View\Model\JsonModel' => array(
-            'application/json',
-        ),
-        'Zend\View\Model\FeedModel' => array(
-            'application/rss+xml',
-        ),
-    );
-
-    public function apiAction()
-    {
-        $viewModel = $this->acceptableViewModelSelector($this->acceptCriteria);
-
-        // Potentially vary execution based on model returned
-        if ($viewModel instanceof JsonModel) {
-            // ...
-        }
-    }
-}
-```
-
-You will still enable the JsonStrategy or FeedStrategy at the global
-level, but they will only be selected now if an appropriate view model
-is returned by the controller; the above plugin can help you select the
-appropriate view model based on Accept header on an as-needed basis.
-
-For more changes, please see CHANGELOG.md.
+The classes `Zend\Session\Validator\RemoteAddr` and `Zend\View\Helper\ServerUrl`
+were identified as having incorrect logic for detection of proxy servers. Both
+were updated to provide better detection, as well as more configuration
+surrounding detection. 
+
+For more information on the security fixes, please see
+http://framework.zend.com/security/advisory/ZF2012-04
+
+For all other changes, please see CHANGELOG.md.
 
 ### SYSTEM REQUIREMENTS