Added ZF2015-02 announcement to readme, changelog

zendframework · Feb 17, 2015 · 6cedf4a · 6cedf4a
1 parent 2018f4d
commit 6cedf4a
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # CHANGELOG
 
+## 2.3.5 (TBD)
+
+### SECURITY UPDATES
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 ## 2.3.4 (2015-01-14)
 
 - [3758: partialLoop/partial View Helper can not be nested when using setObjectKey](https://github.com/zendframework/zf2/issues/3758)
@@ -703,6 +712,15 @@
 - [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
 - [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)
 
+## 2.2.10 (2015-02-18)
+
+### SECURITY UPDATES
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 ## 2.2.9 (2015-01-14)
 
 ### SECURITY UPDATES

diff --git a/README.md b/README.md
@@ -19,6 +19,13 @@ DD MMM YYYY
 
 ### UPDATES IN 2.3.5
 
+This release contains security updates:
+
+- **ZF2015-02:** `Zend\Db\Adapter\Platform\Postgresql` was incorrectly using
+  `\\` to escape double quotes in identifiers and values, which could lead to
+  SQL injection vectors. We have provided patches that use proper escaping. If
+  you use Postgresql with Zend Framework 2, we recommend upgrading immediately.
+
 Please see [CHANGELOG.md](CHANGELOG.md).
 
 ### SYSTEM REQUIREMENTS