Skip to content

Tags: koriym/zendframework

Tags

release-2.4.11

Toggle release-2.4.11's commit message
Zend Framework 2.4.11

- Fixes ZF2016-04 vulnerability

release-3.0.0

Toggle release-3.0.0's commit message
Zend Framework 3.0.0

- [Read the migration documentation](https://docs.zendframework.com/tutorials/migration/to-v3/overview/).
- [Read the recommended quick start](https://docs.zendframework.com/tutorials/getting-started/overview/)
- Marks the package as a Composer metapackage; this means the package itself
  will not be installed, only the requirements it defines.
- Updates the minimum supported PHP version to 5.6.
- Updates all components to latest versions, including v3 releases where
  present. Also adds the following components:
  - zend-mvc-console
  - zend-mvc-plugins
  - zend-mvc-form
  - zend-mvc-i18n
  - zend-json-server
  - zend-xml2json
  - zend-diactoros
  - zend-stratigility
  - zend-psr7bridge
  - zend-hydrator
  - zend-servicemanager-di
- Removes all `bin/*` scripts.

release-2.4.10

Toggle release-2.4.10's commit message
Zend Framework 2.4.10

- Fix HeaderValue throwing an exception on legal characters

release-2.5.3

Toggle release-2.5.3's commit message
Zend Framework 2.5.3

- [zendframework#7665](zendframework#7665) updates component version constraints from `~2.5.0` to `^2.5` to ensure the latest security updates are always installed.

release-2.4.9

Toggle release-2.4.9's commit message
Zend Framework 2.4.9

SECURITY UPDATES
----------------

- **ZF2015-09**: `Zend\Captcha\Word` generates a "word" for a CAPTCHA challenge
  by selecting a sequence of random letters from a character set. Prior to this
  vulnerability announcement, the selection was performed using PHP's internal
  `array_rand()` function. This function does not generate sufficient entropy
  due to its usage of `rand()` instead of more cryptographically secure methods
  such as `openssl_pseudo_random_bytes()`. This could potentially lead to
  information disclosure should an attacker be able to brute force the random
  number generation. This release contains a patch that replaces the
  `array_rand()` calls to use `Zend\Math\Rand::getInteger()`, which provides
  better RNG.
- **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has a call to `openssl_public_encrypt()`
  which used PHP's default `$padding` argument, which specifies
  `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5 padding. This padding
  has a known vulnerability, the
  [Bleichenbacher's chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5),
  which can be used to recover an RSA private key. This release contains a patch
  that changes the padding argument to use `OPENSSL_PKCS1_OAEP_PADDING`.

  Users upgrading to this version may have issues decrypting previously stored
  values, due to the change in padding. If this occurs, you can pass the
  constant `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in
  `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()` (though typically this
  should only apply to the latter):

  ```php
  $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);
  ```

  where `$rsa` is an instance of `Zend\Crypt\PublicKey\Rsa`.

  (The `$key` and `$mode` argument defaults are `null` and
  `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not using them previously.)

  We recommend re-encrypting any such values using the new defaults.

release-2.4.8

Toggle release-2.4.8's commit message
Zend Framework 2.4.8

- [zend-validator/25: validate against DateTimeImmutable instead of DateTimeInterface](zendframework/zend-validator#25)
- [zend-validator/35: treat 0.0 as non-empty, restoring pre-2.4 behavior](zendframework/zend-validator#35)
- [zend-inputfilter/26: deprecate "magic" logic for auto-attaching NonEmpty validators in favor of explicit attachment](zendframework/zend-inputfilter#26)
- [zend-inputfilter/22: ensure fallback values work as per pre-2.4 behavior](zendframework/zend-inputfilter#22)
- [zend-inputfilter/31: update the InputFilterInterface::add() docblock to match implementations](zendframework/zend-inputfilter#31)
- [zend-inputfilter/25: Fix how missing optoinal fields are validated to match pre 2.4.0 behavior](zendframework/zend-inputfilter#26)
- [zend-form/12: deprecate AllowEmpty and ContinueIfEmpty annotations, per zend-inputfilter#26](zendframework/zend-form#12)
- [zend-form/9: fix typos in aria attribute names of AbstractHelper](zendframework/zend-form#9)
- [zend-mail/26: fixes the ContentType header to properly handle encoded parameter values](zendframework/zend-mail#26)
- [zend-mail/11: fixes the Sender header to allow mailbox addresses without TLDs](zendframework/zend-mail#11)
- [zend-mail/24: fixes parsing of messages that contain an initial blank line before headers](zendframework/zend-mail#24)
- [zend-http/23: fixes the SetCookie header to allow multiline values (as they are always encoded)](zendframework/zend-http#23)
- [zend-mvc/27: fixes DefaultRenderingStrategy errors due to controllers returning non-view model results](zendframework/zend-mvc#27)

SECURITY UPDATES
----------------

- **ZF2015-07**: The filesystem storage adapter of `Zend\Cache` was creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).

release-2.4.7

Toggle release-2.4.7's commit message
Zend Framework 2.4.7

- [15: validateInputs must allow ArrayAccess for $data](zendframework/zend-inputfilter#15)

release-2.5.2

Toggle release-2.5.2's commit message
Zend Framework 2.5.2

SECURITY UPDATES
----------------

- **ZF2015-06**: `ZendXml` runs a heuristic detection for XML Entity Expansion
  and XML eXternal Entity vectors when under php-fpm, due to issues with threading
  in libxml preventing using that library's built-in mechanisms for disabling
  them. However, the heuristic was determined to be faulty when multibyte
  encodings are used for the XML. This release contains a patch to ensure that the
  heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML
  (which includes `Zend\XmlRpc`, `Zend\Soap`, `Zend\Feed`, and several others),
  and deploy using php-fpm in production (or plan to), we recommend upgrading
  immediately.

release-2.4.6

Toggle release-2.4.6's commit message
Zend Framework 2.4.6

- [10: Take fallback value into account during input filter validation](zendframework/zend-inputfilter#10)

SECURITY UPDATES
----------------

- **ZF2015-06**: `ZendXml` runs a heuristic detection for XML Entity Expansion
  and XML eXternal Entity vectors when under php-fpm, due to issues with threading
  in libxml preventing using that library's built-in mechanisms for disabling
  them. However, the heuristic was determined to be faulty when multibyte
  encodings are used for the XML. This release contains a patch to ensure that the
  heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML
  (which includes `Zend\XmlRpc`, `Zend\Soap`, `Zend\Feed`, and several others),
  and deploy using php-fpm in production (or plan to), we recommend upgrading
  immediately.

release-2.4.5

Toggle release-2.4.5's commit message
Zend Framework 2.4.5

- [7: Ensure Required, AllowEmpty validation combo works](zendframework/zend-inputfilter#7)