1.12.20

Security Updates

• ZF2016-03: The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.

1.12.19

Security Updates

• ZF2016-02: The implementation of ORDER BY and GROUP BY in Zend_Db_Select contained potential SQL injection vulnerabilities, and have been patched.

Zend Framework 1.12.18

• 575: Please Remove YouTube Zend GData Page
• 607: PHP7 debug_backtrace BC break
• 628: Solve problem with subqueries in SELECT block
• 637: List-separator attribute is not being unset for MultiCheckboxes due to a typo.
• 641: Wrong regex pattern in Zend_Validate_Iban class
• 647: VERSION constant incorrect for 1.12.17 release tag.
• 649: ZF2015-09: The Zend_Crypt_MathTest should run on PHP 5.2/5.3
• 651: Update Vagrantfile to use Rasmus' php7 box
• 655: ZF2015-08 breaks binary data
• 656: zf1-extra is missing in release-1.12.17
• 670: Fix for 655 issue
• 677: Wrong PHPDoc in Zend_Mail
• 679: Non-existing method getRequired() in Zend_Form-Elements docs
• 683: Zend_Form_Element_Button::isChecked has wrong documentation

SECURITY UPDATES

• ZF2016-01: A number of classes, including Zend_Filter_Encrypt, Zend_Form_Element_Hash, Zend_Gdata_HttpClient, Zend_Ldap_Attribute, and Zend_OpenId, were using randomization methods with insufficient entropy. They have been updated to each use Zend_Crypt_Math, and the latter was updated to use PHP 7's random_bytes() and random_int() where feasible.

Zend Framework 1.12.17

• 638: Fixes null byte tests in Zend_Db_Adapter_Pdo
• 632: Updates the TLD list for Zend_Validate_Hostname to version 2015102801

SECURITY UPDATES

• ZF2015-09: Zend_Captcha_Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates Zend_Crypt_Math to provide cryptographically secure RNG, and updates Zend_Captcha_Word to use these new facilities.

Zend Framework 1.12.16

• 504: Cannot parse huge documents in Zend_Dom_Query
• 599: Wrong return type in DocBlock of Zend_Console_Getopt::getOption()
• 600: Undefined property $config in Zend_Http_Client_Adapter_Curl
• 604: add doccomments to Zend_Log covering its magic methods
• 606: Fix typo in Zend_Cache-Backends documentation.
• 610: Add ß (Latin small letter sharp s) to .de domain IDNA check
• 612: Zend_Validate_Hostname does not validate NTP hostnames starting with '0' character

SECURITY UPDATES

• ZF2015-07: A number of components, including Zend_Cloud, Zend_Search_Lucene, and Zend_Service_WindowsAzure were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).
• ZF2015-08: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters. This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework.

Zend Framework 1.12.15

• 582: Incorrect application of timeout option in curl http client adapter
• 587: "Invalid header line detected" error if HTTP header value is empty
• 591: ZF2015-06 fix broke the ZF on PHP 5.2
• 593: fix typo in PHPDoc @throws annotation of Zend_Registry::get()
• 595: Removing annoying warning.
• 597: Fix setting of CURLOPT_TIMEOUT

Zend Framework 1.12.14

• 492: Fix regexp to detect functions in column definition
• 597: Test that e-mail on non-reserved IP is valid
• 580: Azerbaijani language pluralization rule is wrong
• 551: Drop DeveloperGarden API implementation as it shuts down on 30th June 2015
• 583: Fix typo in Zend_Validate_EmailAddress
• 553: Drop Technorati API implementation as it is no longer available

SECURITY UPDATES

• ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Zend Framework 1.12.13

• 567: Cast int and float to string when creating headers

Zend Framework 1.12.12

• 493: PHPUnit not being installed
• 511: Add PATCH to the list of allowed methods in Zend_Controller_Request_HttpTestCase
• 513: Save time and space when cloning PHPUnit
• 515: !IE conditional comments bug
• 516: Zend_Locale does not honor parentLocale configuration
• 518: Run travis build also on PHP 7 builds
• 534: Failing unit test: Zend_Validate_EmailAddressTest::testIdnHostnameInEmaillAddress
• 536: Zend_Measure_Number convert some decimal numbers to roman with space char
• 537: Extend view renderer controller fix (#440)
• 540: Fix PHP 7 BC breaks in Zend_XmlRpc/Amf_Server
• 541: Fixed errors in tests on PHP7
• 542: Correctly reset the sub-path when processing routes
• 545: Fixed path delimeters being stripped by chain routes affecting later routes
• 546: TravisCI: Skip memcache(d) on PHP 5.2
• 547: Session Validators throw 'general' Session Exception during Session start
• 550: Notice "Undefined index: browser_version"
• 557: doc: Zend Framework Dependencies table unreadable
• 559: Fixes a typo in Zend_Validate messages for SK
• 561: Zend_Date not expected year
• 564: Zend_Application tries to load ZendX_Application_Resource_FrontController during instantiation

SECURITY UPDATES

• ZF2015-04: Zend_Mail and Zend_Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend_Mail or Zend_Http, we recommend upgrading immediately.

Zend Framework 1.12.11

• 491: [Zend_Translate\ Extend PHPDocumentation to cover 'magic' behavior
• 502: Added @method PHPDocumentation to allow IDE code-completion
• 506: View renderer controller name fix breaks use of custom dispatcher