Skip to content

Latest commit

 

History

History
3578 lines (3457 loc) · 267 KB

CHANGELOG.md

File metadata and controls

3578 lines (3457 loc) · 267 KB
Raw

CHANGELOG

2.4.1 (2015-05-07)

SECURITY UPDATES

  • ZF2015-04: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes.

    If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.

2.4.0 (2015-03-31)

2.3.8 (2015-05-07)

SECURITY UPDATES

  • ZF2015-04: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes.

    If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.

2.3.7 (2015-03-12)

2.3.6 (2015-03-12)

SECURITY UPDATES

  • ZF2015-03 Zend\Validator\Csrf was incorrectly testing null or improperly formatted token identifiers, allowing them to pass validation. This release provides patches to correct the behavior. If you use the validator, or the corresponding Zend\Form\Element\Csrf, we recommend upgrading immediately.

2.3.5 (2015-02-18)

SECURITY UPDATES

  • ZF2015-02: Zend\Db\Adapter\Platform\Postgresql was incorrectly using \\ to escape double quotes in identifiers and values, which could lead to SQL injection vectors. We have provided patches that use proper escaping. If you use Postgresql with Zend Framework 2, we recommend upgrading immediately.

2.3.4 (2015-01-14)

SECURITY UPDATES

  • ZF2015-01: Session validators were not run if set before session start. Essentially, the validators were writing to the $_SESSION superglobal before session start, which meant the data was overwritten once the session began. This meant on subsequent calls, the validators had no data to compare against, making the sessions automatically valid. We have provided patches to ensure that validators are run only after the session has begun, which will ensure they validate sessions correctly going forward. If you use Zend\Session validators, we recommend upgrading immediately.

2.3.3 (2014-09-17)

SECURITY UPDATES

  • ZF2014-05: Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected version of PHP, we recommend upgrading immediately.
  • ZF2014-06: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.

2.3.2 (2014-08-11)

2.3.1 (2014-04-15)

SECURITY UPDATES

  • ZF2014-03: Potential XSS vector in multiple view helpers due to inappropriate HTML attribute escaping. Many view helpers were using the escapeHtml() view helper in order to escape HTML attributes. This release patches them to use the escapeHtmlAttr() view helper in these situations. If you use form or navigation view helpers, or "HTML element" view helpers (such as gravatar(), htmlFlash(), htmlPage(), or htmlQuicktime()), we recommend upgrading immediately.

2.3.0 (2014-03-12)

2.2.10 (2015-02-18)

SECURITY UPDATES

  • ZF2015-02: Zend\Db\Adapter\Platform\Postgresql was incorrectly using \\ to escape double quotes in identifiers and values, which could lead to SQL injection vectors. We have provided patches that use proper escaping. If you use Postgresql with Zend Framework 2, we recommend upgrading immediately.

2.2.9 (2015-01-14)

SECURITY UPDATES

  • ZF2015-01: Session validators were not run if set before session start. Essentially, the validators were writing to the $_SESSION superglobal before session start, which meant the data was overwritten once the session began. This meant on subsequent calls, the validators had no data to compare against, making the sessions automatically valid. We have provided patches to ensure that validators are run only after the session has begun, which will ensure they validate sessions correctly going forward. If you use Zend\Session validators, we recommend upgrading immediately.

2.2.8 (2014-09-17)

SECURITY UPDATES

  • ZF2014-05: Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use Zend\Ldap and are on an affected version of PHP, we recommend upgrading immediately.
  • ZF2014-06: A potential SQL injection vector existed when using a SQL Server adapter to manually quote values due to the fact that it was not escaping null bytes. Code was added to ensure null bytes are escaped, and thus mitigate the SQLi vector. We do not recommend manually quoting values, but if you do, and use the SQL Server adapter without PDO, we recommend upgrading immediately.

2.2.7 (2014-04-15)

SECURITY UPDATES

  • ZF2014-03: Potential XSS vector in multiple view helpers due to inappropriate HTML attribute escaping. Many view helpers were using the escapeHtml() view helper in order to escape HTML attributes. This release patches them to use the escapeHtmlAttr() view helper in these situations. If you use form or navigation view helpers, or "HTML element" view helpers (such as gravatar(), htmlFlash(), htmlPage(), or htmlQuicktime()), we recommend upgrading immediately.

2.2.6 (2014-03-06)

SECURITY UPDATES

  • ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse. A new component, ZendXml, was introduced to mitigate XML eXternal Entity and XML Entity Expansion vectors that are present in older versions of libxml2 and/or PHP. Zend\Json\Json::fromXml() and Zend\XmlRpc's Response and Fault classes were potentially vulnerable to these attacks. If you use either of these components, we recommend upgrading immediately.

2.2.5 (2013-10-31)

SECURITY UPDATES

An issue with Zend\Http\PhpEnvironment\RemoteAddress was reported in #5374. Essentially, the class was not checking if $_SERVER['REMOTE_ADDR'] was one of the trusted proxies configured, and as a result, getIpAddressFromProxy() could return an untrusted IP address.

The class was updated to check if $_SERVER['REMOTE_ADDR'] is in the list of trusted proxies, and, if so, will return that value immediately before consulting the values in the X-Forwarded-For header.

If you use the RemoteAddr Zend\Session validator, and are configuring trusted proxies, we recommend updating to 2.2.5 or later immediately.

Potential Breakage

  • #5343 removed the DateTimeFormatter filter from DateTime form elements. This was done due to the fact that it led to unexpected behavior when non-date inputs were provided. However, since the DateTime element already incorporates a DateValidator that accepts a date format, validation can still work as expected.

2.2.4 (2013-08-26)

2.2.3 (2013-08-21):

2.2.2 (2013-07-24):

2.2.1 (2013-06-12):

2.2.0 (2013-05-15):

Potential Breakage

Zend\Validator was altered to remove the dependency on Zend\I18n by creating Segregated Interfaces. The practical upshot is that Zend\Validator\AbstractValidator no longer implements Zend\I18n\Translator\TranslatorAwareInterface, but rather Zend\Validator\Translator\TranslatorAwareInterface, which now typehints on Zend\Validator\Translator\TranslatorInterface instead of Zend\I18n\Translator\Translator. This means you cannot pass a Zend\I18n\Translator\Translator instance directly to a validator any longer.

However, we have included a new class, Zend\Mvc\I18n\Translator, that extends the i18n Translator class and implements the Validator TranslatorInterface. This class may be used as a drop-in replacement. In fact, by default, Zend\Validator\ValidatorPluginManager is now using the MvcTranslator service, which utilizes this new class, making the change seamless for most users.

The above change will only affect you if you were manually injecting a translator instance into your validators.

2.1.6 (06 Mar 2014):

SECURITY UPDATES

  • ZF2014-01: Potential XXE/XEE attacks using PHP functions: simplexml_load_*, DOMDocument::loadXML, and xml_parse. A new component, ZendXml, was introduced to mitigate XML eXternal Entity and XML Entity Expansion vectors that are present in older versions of libxml2 and/or PHP. Zend\Json\Json::fromXml() and Zend\XmlRpc's Response and Fault classes were potentially vulnerable to these attacks. If you use either of these components, we recommend upgrading immediately.

2.1.5 (17 Apr 2013):

2.1.4 (13 Mar 2013):

2.1.3 (21 Feb 2013):

2.1.2 (20 Feb 2013):

2.1.1 (06 Feb 2013):

2.1.0 (29 Jan 2013):

Potential Breakage

Includes a fix to the classes Zend\Filter\Encrypt and Zend\Filter\Decrypt which may pose a small break for end-users. Each requires an encryption key be passed to either the constructor or the setKey() method now; this was done to improve the security of each class.

Zend\Session includes a new Zend\Session\Storage\SessionArrayStorage class, which acts as a direct proxy to the $_SESSION superglobal. The SessionManager class now uses this new storage class by default, in order to fix an error that occurs when directly manipulating nested arrays of $_SESSION in third-party code. For most users, the change will be seamless. Those affected will be those (a) directly accessing the storage instance, and (b) using object notation to access session members:

$foo = null;
/** @var $storage Zend\Session\Storage\SessionStorage */
if (isset($storage->foo)) {
    $foo = $storage->foo;
}

If you are using array notation, as in the following example, your code remains forwards compatible:

$foo = null;

/** @var $storage Zend\Session\Storage\SessionStorage */
if (isset($storage['foo'])) {
    $foo = $storage['foo'];
}

If you are not working directly with the storage instance, you will be unaffected.

For those affected, the following courses of action are possible:

  • Update your code to replace object property notation with array notation, OR
  • Initialize and register a Zend\Session\Storage\SessionStorage object explicitly with the session manager instance.

2.0.8 (13 Mar 2013):

2.0.7 (29 Jan 2013):

Potential Breakage

Includes a fix to the classes Zend\Filter\Encrypt and Zend\Filter\Decrypt which may pose a small break for end-users. Each requires an encryption key be passed to either the constructor or the setKey() method now; this was done to improve the security of each class.

2.0.6 (19 Dec 2012):

2.0.5 (29 Nov 2012):

2.0.4 (20 Nov 2012):

2.0.3 (17 Oct 2012):

2.0.2 (21 Sep 2012):

2.0.1 (20 Sep 2012):