Tags: bob-php-compiler/zf1
Tags
Zend Framework 1.12.20 **This release contains security updates:** - **ZF2016-03:** The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.
Zend Framework 1.12.19 Security Updates ---------------- - **ZF2016-02**: The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` contained potential SQL injection vulnerabilities, and have been patched.
Zend Framework 1.12.18 - [575: Please Remove YouTube Zend GData Page](zendframework#575) - [607: PHP7 debug&zendframework#95;backtrace BC break](zendframework#607) - [628: Solve problem with subqueries in SELECT block](zendframework#628) - [637: List-separator attribute is not being unset for MultiCheckboxes due to a typo.](zendframework#637) - [641: Wrong regex pattern in Zend&zendframework#95;Validate&zendframework#95;Iban class](zendframework#641) - [647: VERSION constant incorrect for 1.12.17 release tag.](zendframework#647) - [649: ZF2015-09: The Zend&zendframework#95;Crypt&zendframework#95;MathTest should run on PHP 5.2/5.3](zendframework#649) - [651: Update Vagrantfile to use Rasmus' php7 box](zendframework#651) - [655: ZF2015-08 breaks binary data ](zendframework#655) - [656: zf1-extra is missing in release-1.12.17](zendframework#656) - [670: Fix for 655 issue](zendframework#670) - [677: Wrong PHPDoc in Zend&zendframework#95;Mail](zendframework#677) - [679: Non-existing method getRequired() in Zend&zendframework#95;Form-Elements docs](zendframework#679) - [683: Zend&zendframework#95;Form&zendframework#95;Element&zendframework#95;Button::isChecked has wrong documentation](zendframework#683) SECURITY UPDATES ---------------- - **ZF2016-01**: A number of classes, including `Zend_Filter_Encrypt`, `Zend_Form_Element_Hash`, `Zend_Gdata_HttpClient`, `Zend_Ldap_Attribute`, and `Zend_OpenId`, were using randomization methods with insufficient entropy. They have been updated to each use `Zend_Crypt_Math`, and the latter was updated to use PHP 7's `random_bytes()` and `random_int()` where feasible.
Zend Framework 1.12.17 - [zendframework#638](zendframework#638) Fixes null byte tests in `Zend_Db_Adapter_Pdo` - [zendframework#632](zendframework#632) Updates the TLD list for `Zend_Validate_Hostname` to version 2015102801. SECURITY UPDATES ---------------- - **ZF2015-09**: `Zend_Captcha_Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates `Zend_Crypt_Math` to provide cryptographically secure RNG, and updates `Zend_Captcha_Word` to use these new facilities.
Zend Framework 1.12.16 - [504: Cannot parse huge documents in Zend&zendframework#95;Dom&zendframework#95;Query](zendframework#504) - [599: Wrong return type in DocBlock of Zend&zendframework#95;Console&zendframework#95;Getopt::getOption()](zendframework#599) - [600: Undefined property $config in Zend&zendframework#95;Http&zendframework#95;Client&zendframework#95;Adapter&zendframework#95;Curl](zendframework#600) - [604: add doccomments to Zend&zendframework#95;Log covering its magic methods](zendframework#604) - [606: Fix typo in Zend&zendframework#95;Cache-Backends documentation.](zendframework#606) - [610: Add ß (Latin small letter sharp s) to .de domain IDNA check](zendframework#610) - [612: Zend&zendframework#95;Validate&zendframework#95;Hostname does not validate NTP hostnames starting with '0' character](zendframework#612) SECURITY UPDATES ---------------- - **ZF2015-07**: A number of components, including `Zend_Cloud`, `Zend_Search_Lucene`, and `Zend_Service_WindowsAzure` were creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002). - **ZF2015-08**: ZF2014-06 uncovered an issue in the sqlsrv adapter provided by the framework whereby null bytes were not filtered correctly when generating SQL. A reporter discovered the same vulnerability is present in our PDO implementation when used with pdo_dblib, and could potentially be applied to other PDO adapters. This release contains a patch to properly escape null bytes used in SQL queries across all PDO adapters shipped with the framework.
Zend Framework 1.12.15 - [582: Incorrect application of timeout option in curl http client adapter](zendframework#582) - [587: "Invalid header line detected" error if HTTP header value is empty](zendframework#587) - [591: ZF2015-06 fix broke the ZF on PHP 5.2](zendframework#591) - [593: fix typo in PHPDoc @throws annotation of Zend&zendframework#95;Registry::get()](zendframework#593) - [595: Removing annoying warning.](zendframework#595) - [597: Fix setting of CURLOPT&zendframework#95;TIMEOUT](zendframework#597)
Zend Framework 1.12.14 - [492: Fix regexp to detect functions in column definition](zendframework#492) - [597: Test that e-mail on non-reserved IP is valid](zendframework#579) - [580: Azerbaijani language pluralization rule is wrong](https://github.com/zendframework/zf1/issue/580) - [551: Drop DeveloperGarden API implementation as it shuts down on 30th June 2015](zendframework#551) - [583: Fix typo in Zend_Validate_EmailAddress](https://github.com/zendframework/zf1/issue/583) - [553: Drop Technorati API implementation as it is no longer available](zendframework#553) SECURITY UPDATES ---------------- - **ZF2015-06**: `ZendXml` runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings. If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes `Zend\XmlRpc`, `Zend\Soap`, `Zend\Feed`, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.
Zend Framework 1.12.13 - [567: Cast int and float to string when creating headers](zendframework#567)
Zend Framework 1.12.12 - [493: PHPUnit not being installed](zendframework#493) - [511: Add PATCH to the list of allowed methods in Zend&zendframework#95;Controller&zendframework#95;Request&zendframework#95;HttpTestCase](zendframework#511) - [513: Save time and space when cloning PHPUnit](zendframework#513) - [515: !IE conditional comments bug](zendframework#515) - [516: Zend&zendframework#95;Locale does not honor parentLocale configuration](zendframework#516) - [518: Run travis build also on PHP 7 builds](zendframework#518) - [534: Failing unit test: Zend&zendframework#95;Validate&zendframework#95;EmailAddressTest::testIdnHostnameInEmaillAddress](zendframework#534) - [536: Zend&zendframework#95;Measure&zendframework#95;Number convert some decimal numbers to roman with space char](zendframework#536) - [537: Extend view renderer controller fix (zendframework#440)](zendframework#537) - [540: Fix PHP 7 BC breaks in Zend&zendframework#95;XmlRpc/Amf&zendframework#95;Server](zendframework#540) - [541: Fixed errors in tests on PHP7](zendframework#541) - [542: Correctly reset the sub-path when processing routes](zendframework#542) - [545: Fixed path delimeters being stripped by chain routes affecting later routes](zendframework#545) - [546: TravisCI: Skip memcache(d) on PHP 5.2](zendframework#546) - [547: Session Validators throw 'general' Session Exception during Session start](zendframework#547) - [550: Notice "Undefined index: browser&zendframework#95;version"](zendframework#550) - [557: doc: Zend Framework Dependencies table unreadable](zendframework#557) - [559: Fixes a typo in Zend&zendframework#95;Validate messages for SK](zendframework#559) - [561: Zend&zendframework#95;Date not expected year](zendframework#561) - [564: Zend&zendframework#95;Application tries to load ZendX&zendframework#95;Application&zendframework#95;Resource&zendframework#95;FrontController during instantiation](zendframework#564) Security Updates ---------------- - **ZF2015-04:** `Zend_Mail` and `Zend_Http` were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either `Zend_Mail` or `Zend_Http`, we recommend upgrading immediately.
Zend Framework 1.12.11 - [491: &zendframework#91;Zend&zendframework#95;Translate&zendframework#92; Extend PHPDocumentation to cover 'magic' behavior](zendframework#491) - [502: Added @method PHPDocumentation to allow IDE code-completion](zendframework#502) - [506: View renderer controller name fix breaks use of custom dispatcher](zendframework#506)
PreviousNext