Skip to content

Commit

Permalink
[ZF2015-01] Added security blurb to README and CHANGELOG
Browse files Browse the repository at this point in the history
- Includes 2.2.9 changelog as well
  • Loading branch information
weierophinney committed Jan 14, 2015
1 parent 037c62b commit 18534b6
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 0 deletions.
26 changes: 26 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,18 @@
# CHANGELOG

## 2.3.4 (2015-01-14)

### SECURITY UPDATES

- **ZF2015-01:** Session validators were not run if set before session start.
Essentially, the validators were writing to the `$_SESSION` superglobal before
session start, which meant the data was overwritten once the session began.
This meant on subsequent calls, the validators had no data to compare against,
making the sessions automatically valid. We have provided patches to ensure
that validators are run only after the session has begun, which will ensure
they validate sessions correctly going forward. If you use `Zend\Session`
validators, we recommend upgrading immediately.

## 2.3.3 (2014-09-17)

- [6576: Custom barcode adapter wasn't being set in options](https://github.com/zendframework/zf2/pull/6576)
Expand Down Expand Up @@ -481,6 +494,19 @@
- [5943: Fixed route matcher test](https://github.com/zendframework/zf2/pull/5943)
- [5951: Fix console mixed case optional value params](https://github.com/zendframework/zf2/pull/5951)

## 2.2.9 (2015-01-14)

### SECURITY UPDATES

- **ZF2015-01:** Session validators were not run if set before session start.
Essentially, the validators were writing to the `$_SESSION` superglobal before
session start, which meant the data was overwritten once the session began.
This meant on subsequent calls, the validators had no data to compare against,
making the sessions automatically valid. We have provided patches to ensure
that validators are run only after the session has begun, which will ensure
they validate sessions correctly going forward. If you use `Zend\Session`
validators, we recommend upgrading immediately.

## 2.2.8 (2014-09-17)

### SECURITY UPDATES
Expand Down
11 changes: 11 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,17 @@ DD MMM YYYY

### UPDATES IN 2.3.4

This release contains security fixes:

- **ZF2015-01:** Session validators were not run if set before session start.
Essentially, the validators were writing to the `$_SESSION` superglobal before
session start, which meant the data was overwritten once the session began.
This meant on subsequent calls, the validators had no data to compare against,
making the sessions automatically valid. We have provided patches to ensure
that validators are run only after the session has begun, which will ensure
they validate sessions correctly going forward. If you use `Zend\Session`
validators, we recommend upgrading immediately.

Please see [CHANGELOG.md](CHANGELOG.md).

### SYSTEM REQUIREMENTS
Expand Down

0 comments on commit 18534b6

Please sign in to comment.