Zend Framework 1.12.18

- [575: Please Remove YouTube Zend GData Page](zendframework#575)
- [607: PHP7 debug&zendframework#95;backtrace BC break](zendframework#607)
- [628: Solve problem with subqueries in SELECT block](zendframework#628)
- [637: List-separator attribute is not being unset for MultiCheckboxes due to a typo.](zendframework#637)
- [641: Wrong regex pattern in Zend&zendframework#95;Validate&zendframework#95;Iban class](zendframework#641)
- [647: VERSION constant incorrect for 1.12.17 release tag.](zendframework#647)
- [649: ZF2015-09: The Zend&zendframework#95;Crypt&zendframework#95;MathTest should run on PHP 5.2/5.3](zendframework#649)
- [651: Update Vagrantfile to use Rasmus' php7 box](zendframework#651)
- [655: ZF2015-08 breaks binary data ](zendframework#655)
- [656: zf1-extra is missing in release-1.12.17](zendframework#656)
- [670: Fix for 655 issue](zendframework#670)
- [677: Wrong PHPDoc in Zend&zendframework#95;Mail](zendframework#677)
- [679: Non-existing method getRequired() in Zend&zendframework#95;Form-Elements docs](zendframework#679)
- [683: Zend&zendframework#95;Form&zendframework#95;Element&zendframework#95;Button::isChecked has wrong documentation](zendframework#683)

SECURITY UPDATES
----------------

- **ZF2016-01**: A number of classes, including `Zend_Filter_Encrypt`, `Zend_Form_Element_Hash`, `Zend_Gdata_HttpClient`, `Zend_Ldap_Attribute`, and `Zend_OpenId`, were using randomization methods with insufficient entropy.  They have been updated to each use `Zend_Crypt_Math`, and the latter was updated to use PHP 7's `random_bytes()` and `random_int()` where feasible.

Zend Framework 1.12.17

- [zendframework#638](zendframework#638) Fixes null byte tests in `Zend_Db_Adapter_Pdo`
- [zendframework#632](zendframework#632) Updates the TLD list for `Zend_Validate_Hostname` to version 2015102801.

SECURITY UPDATES
----------------

- **ZF2015-09**: `Zend_Captcha_Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates `Zend_Crypt_Math` to provide cryptographically secure RNG, and updates `Zend_Captcha_Word` to use these new facilities.

Zend Framework 1.12.16

- [504: Cannot parse huge documents in Zend&zendframework#95;Dom&zendframework#95;Query](zendframework#504)
- [599: Wrong return type in DocBlock of Zend&zendframework#95;Console&zendframework#95;Getopt::getOption()](zendframework#599)
- [600: Undefined property $config in Zend&zendframework#95;Http&zendframework#95;Client&zendframework#95;Adapter&zendframework#95;Curl](zendframework#600)
- [604: add doccomments to Zend&zendframework#95;Log covering its magic methods](zendframework#604)
- [606: Fix typo in Zend&zendframework#95;Cache-Backends documentation.](zendframework#606)
- [610: Add ß (Latin small letter sharp s) to .de domain IDNA check](zendframework#610)
- [612: Zend&zendframework#95;Validate&zendframework#95;Hostname does not validate NTP hostnames starting with '0' character](zendframework#612)

SECURITY UPDATES
----------------

- **ZF2015-07**: A number of components, including `Zend_Cloud`, `Zend_Search_Lucene`, and `Zend_Service_WindowsAzure` were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).

- **ZF2015-08**: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters.  This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework.

Zend Framework 1.12.15

- [582: Incorrect application of timeout option in curl http client adapter](zendframework#582)
- [587: "Invalid header line detected" error if HTTP header value is empty](zendframework#587)
- [591: ZF2015-06 fix broke the ZF on PHP 5.2](zendframework#591)
- [593: fix typo in PHPDoc @throws annotation of Zend&zendframework#95;Registry::get()](zendframework#593)
- [595: Removing annoying warning.](zendframework#595)
- [597: Fix setting of CURLOPT&zendframework#95;TIMEOUT](zendframework#597)

Zend Framework 1.12.14

- [492: Fix regexp to detect functions in column definition](zendframework#492)
- [597: Test that e-mail on non-reserved IP is valid](zendframework#579)
- [580: Azerbaijani language pluralization rule is wrong](https://github.com/zendframework/zf1/issue/580)
- [551: Drop DeveloperGarden API implementation as it shuts down on 30th June 2015](zendframework#551)
- [583: Fix typo in Zend_Validate_EmailAddress](https://github.com/zendframework/zf1/issue/583)
- [553: Drop Technorati API implementation as it is no longer available](zendframework#553)

SECURITY UPDATES
----------------

- **ZF2015-06**: `ZendXml` runs a heuristic detection for XML Entity Expansion
  and XML eXternal Entity vectors when under php-fpm, due to issues with threading
  in libxml preventing using that library's built-in mechanisms for disabling
  them. However, the heuristic was determined to be faulty when multibyte
  encodings are used for the XML. This release contains a patch to ensure that the
  heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML
  (which includes `Zend\XmlRpc`, `Zend\Soap`, `Zend\Feed`, and several others),
  and deploy using php-fpm in production (or plan to), we recommend upgrading
  immediately.

Zend Framework 1.12.13

- [567: Cast int and float to string when creating headers](zendframework#567)

Zend Framework 1.12.12

- [493: PHPUnit not being installed](zendframework#493)
- [511: Add PATCH to the list of allowed methods in Zend&zendframework#95;Controller&zendframework#95;Request&zendframework#95;HttpTestCase](zendframework#511)
- [513: Save time and space when cloning PHPUnit](zendframework#513)
- [515: !IE conditional comments bug](zendframework#515)
- [516: Zend&zendframework#95;Locale does not honor parentLocale configuration](zendframework#516)
- [518: Run travis build also on PHP 7 builds](zendframework#518)
- [534: Failing unit test: Zend&zendframework#95;Validate&zendframework#95;EmailAddressTest::testIdnHostnameInEmaillAddress](zendframework#534)
- [536: Zend&zendframework#95;Measure&zendframework#95;Number convert some decimal numbers to roman with space char](zendframework#536)
- [537: Extend view renderer controller fix (zendframework#440)](zendframework#537)
- [540: Fix PHP 7 BC breaks in Zend&zendframework#95;XmlRpc/Amf&zendframework#95;Server](zendframework#540)
- [541: Fixed errors in tests on PHP7](zendframework#541)
- [542: Correctly reset the sub-path when processing routes](zendframework#542)
- [545: Fixed path delimeters being stripped by chain routes affecting later routes](zendframework#545)
- [546: TravisCI: Skip memcache(d) on PHP 5.2](zendframework#546)
- [547: Session Validators throw 'general' Session Exception during Session start](zendframework#547)
- [550: Notice "Undefined index: browser&zendframework#95;version"](zendframework#550)
- [557: doc: Zend Framework Dependencies table unreadable](zendframework#557)
- [559: Fixes a typo in Zend&zendframework#95;Validate messages for SK](zendframework#559)
- [561: Zend&zendframework#95;Date not expected year](zendframework#561)
- [564: Zend&zendframework#95;Application tries to load ZendX&zendframework#95;Application&zendframework#95;Resource&zendframework#95;FrontController during instantiation](zendframework#564)

Security Updates
----------------

- **ZF2015-04:** `Zend_Mail` and `Zend_Http` were both susceptible to CRLF Injection
  Attack vectors (for HTTP, this is often referred to as HTTP Response
  Splitting). Both components were updated to perform header value validations
  to ensure no values contain characters not detailed in their corresponding
  specifications, and will raise exceptions on detection. Each also provides new
  facilities for both validating and filtering header values prior to injecting
  them into header classes. If you use either `Zend_Mail` or `Zend_Http`,
  we recommend upgrading immediately.

Zend Framework 1.12.11

- [491: &zendframework#91;Zend&zendframework#95;Translate&zendframework#92; Extend PHPDocumentation to cover 'magic' behavior](zendframework#491)
- [502: Added @method PHPDocumentation to allow IDE code-completion](zendframework#502)
- [506: View renderer controller name fix breaks use of custom dispatcher](zendframework#506)

Zend Framework 1.12.10

- [1: isLast not working as expected in Zend&zendframework#95;Service&zendframework#95;Amazon&zendframework#95;SimpleDb&zendframework#95;Page](zendframework#1)
- [8: Zend&zendframework#95;Loader&zendframework#95;ClassMapAutoloader is not auto included when using Zend&zendframework#95;Loader&zendframework#95;AutoloaderFactory::factory](zendframework#8)
- [15: Zend&zendframework#95;Db&zendframework#95;Table&zendframework#95;Abstract::delete does not delete from dependent table](zendframework#15)
- [32: Zend&zendframework#95;Soap&zendframework#95;Client has no 'exceptions' flag.](zendframework#32)
- [62: Zend&zendframework#95;Validate&zendframework#95;EmailAddress->&zendframework#95;validateMXRecords() fails on Umlaut-Domains](zendframework#62)
- [187: Zend&zendframework#95;Rest&zendframework#95;Server does not properly handle optional parameters when anonymous (arg1, etc) parameters are passed in](zendframework#187)
- [322: Zend&zendframework#95;Validate&zendframework#95;Hostname: disallowed Unicode code point](zendframework#322)
- [324: SlideShare API change some tag names.](zendframework#324)
- [345: CallbackHandler throws warning if WeakRef-extension not installed](zendframework#345)
- [377: Zend&zendframework#95;Console&zendframework#95;Getopt: Missing required parameter consumes next option as its parameter value](zendframework#377)
- [400: PHPUnit contraints: use real class names to help classmap generators](zendframework#400)
- [426: Use relative filenames for &zendframework#95;validIdns for direct include in Zend&zendframework#95;Validate&zendframework#95;Hostname](zendframework#426)
- [434: Corrected type of property &zendframework#95;currentRoute](zendframework#434)
- [440: Zend&zendframework#95;Controller&zendframework#95;Dispatcher&zendframework#95;Abstract::&zendframework#95;formatName() inconsistent with Action name handling](zendframework#440)
- [441: Loosen regex to allow nested function calls in SQL](zendframework#441)
- [444: Update Zend&zendframework#95;Validate&zendframework#95;Hostname TLDs list to 2014102301 version](zendframework#444)
- [446: fix typo unkown -> unknown](zendframework#446)
- [448: fix travis ci build for php 5.2](zendframework#448)
- [449: Zend&zendframework#95;Date doesn't create correct date when seconds are missing from 8601 format](zendframework#449)
- [452: "fluent", not "fluid"](zendframework#452)
- [453: Zend&zendframework#95;Cache&zendframework#95;Backend&zendframework#95;Memcached looks at "bytes", but Couchbase 1.x returns "mem&zendframework#95;used"](zendframework#453)
- [456: Documentation of Zend&zendframework#95;Feed&zendframework#95;Pubsubhubbub&zendframework#95;Model&zendframework#95;ModelAbstract](zendframework#456)
- [458: Fixed bug in quoteInto with $count parameter and question sign in $value](zendframework#458)
- [461: CDATA section for category elements in RSS feed](zendframework#461)
- [465: Zend&zendframework#95;Currency creates invalid cache ids for values with fractions](zendframework#465)
- [467: debug&zendframework#95;backtrace() called twice when only once needed ](zendframework#467)
- [468: Zend&zendframework#95;Validate&zendframework#95;Hostname improvements](zendframework#468)
- [469: &zendframework#91;Zend&zendframework#95;Validate&zendframework#92; Testcase for zendframework#322](zendframework#469)
- [471: End of life for PHPUnit installation using pear](zendframework#471)
- [475: Zend Json Server Exception is missing the method name](zendframework#475)
- [478: Create .gitattributes to mirror archive { } in composer.json](zendframework#478)
- [480: Virtual machine doesn't install initial packages](zendframework#480)
- [483: Update copyright to 2015](zendframework#483)
- [484: Adds content headers on POST request in Zend&zendframework#95;Controller&zendframework#95;Request&zendframework#95;HTTP](zendframework#484)
- [487: Allow overriding cache id and tag validation in Zend&zendframework#95;Cache](zendframework#487)
- [488: Zend&zendframework#95;Dojo&zendframework#95;View&zendframework#95;Helper&zendframework#95;Dojo&zendframework#95;Container setCdnVersion error...](zendframework#488)
- [490: Added more specific return documentation for Zend&zendframework#95;Navigation Pages](zendframework#490)

Zend Framework 1.12.9

**This release contains security updates:**

- **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is
  possible to perform an unauthenticated simple bind against a LDAP server by
  using a null byte for the password, regardless of whether or not the user
  normally requires a password. We have provided a patch in order to protect
  users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all
  versions of PHP 5.3 and below). If you use `Zend_Ldap` and are on an affected
  version of PHP, we recommend upgrading immediately.
- **ZF2014-06** `Zend_Db_Adapter_Sqlsrv` had a potential SQL injection
  vulnerability via improperly quoted null bytes. The code has been updated to
  ensure proper quoting and thus remove the security vector. If you are using
  `Zend_Db_Adapter_Sqlsrv` and manually quoting values via the adapter, we
  encourage you to upgrade immediately.