Tags: sandeepv10/zf1
Tags
Zend Framework 1.12.9 **This release contains security updates:** - **ZF2014-05:** Due to an issue that existed in PHP's LDAP extension, it is possible to perform an unauthenticated simple bind against a LDAP server by using a null byte for the password, regardless of whether or not the user normally requires a password. We have provided a patch in order to protect users of unpatched PHP versions (PHP 5.5 <= 5.5.11, PHP 5.4 <= 5.4.27, all versions of PHP 5.3 and below). If you use `Zend_Ldap` and are on an affected version of PHP, we recommend upgrading immediately. - **ZF2014-06** `Zend_Db_Adapter_Sqlsrv` had a potential SQL injection vulnerability via improperly quoted null bytes. The code has been updated to ensure proper quoting and thus remove the security vector. If you are using `Zend_Db_Adapter_Sqlsrv` and manually quoting values via the adapter, we encourage you to upgrade immediately.
Zend Framework 1.12.8 - [54: Zend&zendframework#95;Loader invalid links, missing docs](zendframework#54) - [98: Allow editing and flattening of text form fields within PDF documents](zendframework#98) - [244: Zend&zendframework#95;Oauth&zendframework#95;Client: Consider multipart/form-data](zendframework#244) - [270: Missing class Zend&zendframework#95;Service&zendframework#95;Console&zendframework#95;Command](zendframework#270) - [277: Patch two level cache updates](zendframework#277) - [289: Zend&zendframework#95;Date milliseconds bug](zendframework#289) - [342: Zend&zendframework#95;Locale&zendframework#95;Format::getFloat does not handle exponential notation ("1e-2" returns -100 instead of 0.01)](zendframework#342) - [348: Fixed bug - do not allow invalid hostname with double dots i.e. zend..com](zendframework#348) - [354: CLDR v25 released](zendframework#354) - [363: Zend&zendframework#95;Locale&zendframework#95;Data::disableCache(true) is always reset](zendframework#363) - [364: Fix convertPhpToIsoFormat](zendframework#364) - [365: Fix for array to string conversion error in Zend&zendframework#95;Validate&zendframework#95;Abstract](zendframework#365) - [368: Zend&zendframework#95;Validate&zendframework#95;Hostname: invalidates long TLDs above 10 characters (latest IANA TLDs)](zendframework#368) - [375: Fixes zendframework#374 - Implement Zend&zendframework#95;Pdf::getJavascript() and Zend&zendframework#95;Pdf::setJavascript()](zendframework#375) - [378: ZF-1.12.7 breaks code when using multi column ordering](zendframework#378) - [382: Proper cleaning of File cache files in cleaning mode ALL](zendframework#382) - [385: Serialized DateTime includes fractions of seconds since 5.6.0beta4](zendframework#385) - [390: Zend&zendframework#95;Locale&zendframework#95;Format::&zendframework#95;getEncoding() is missing a return statement](zendframework#390) - [394: Validate&zendframework#95;Hostname: Punycode decoding fails if encoded string has not hyphen](zendframework#394) - [399: Argument 4 to hash&zendframework#95;hmac() must be of type ?bool, int given](zendframework#399) - [402: &zendframework#91;Http&zendframework#92; Multiple fixes related to the curl adapter](zendframework#402) - [410: fix for issue 393 - always reset libxml&zendframework#95;disable&zendframework#95;entity&zendframework#95;loader](zendframework#410) - [414: Fix for 270 Missing class Zend&zendframework#95;Service&zendframework#95;Console&zendframework#95;Command](zendframework#414) - [418: Improved regex for SQL group, order, from](zendframework#418)
Zend Framework 1.12.7 - [ZF2014-04 Potential SQLi vector via ORDER clause](http://framework.zend.com/security/advisory/ZF2014-04] - [329: Fixes zendframework#325 - Incorrect translation for ERROR&zendframework#95;RECORD&zendframework#95;FOUND](zendframework#329) - [331: Compatibility with PHPunit 4](zendframework#331) - [333: &zendframework#91;Zend&zendframework#95;Navigation&zendframework#92; Remove a page recursively](zendframework#333) - [337: No region found within the locale 'zh&zendframework#95;CN'](zendframework#337) - [340: Zend&zendframework#95;Dojo&zendframework#95;View&zendframework#95;Helper&zendframework#95;Dojo&zendframework#95;Container::&zendframework#95;renderStylesheets array&zendframework#95;reverse](zendframework#340) - [343: Updated the TLDs in Hostname validator to the latest IANA list (2014-05-05)](zendframework#343) - [344: iconv.internal&zendframework#95;encoding deprecated in PHP 5.6](zendframework#344) - [351: Consolidate getting and setting encoding in Zend&zendframework#95;Locale&zendframework#95;Format](zendframework#351) - [353: Update usage of iconv&zendframework#95;get&zendframework#95;encoding so that it is only used for PHP < 5.6](zendframework#353) - [359: Add Docx support to Zend&zendframework#95;Gdata&zendframework#95;Docs](zendframework#359) - [370: Zend&zendframework#95;Registry test fails since PHP 5.6.0beta1](zendframework#370) - [371: Allow children of Zend&zendframework#95;Form to handle setDefaults to array conversion by themselves](zendframework#371) - [376: Fixed compatibility with PHPUnit 4.1](zendframework#376)
Zend Framework 1.12.3 - [2: Long Timezones in Zend&zendframework#95;Date constructor ignored with custom date format](zendframework#2) - [53: Zend&zendframework#95;Cache&zendframework#95;Backend&zendframework#95;Libmemcached doesn't pass Memcached::OPT&zendframework#95;NO&zendframework#95;BLOCK option through](zendframework#53) - [164: Fix ZF-11921: Race condition in plugin loader include file cache](zendframework#164) - [279: Added JSON&zendframework#95;UNESCAPED&zendframework#95;UNICODE and JSON&zendframework#95;UNESCAPED&zendframework#95;SLASHES to encoding GCM Data to JSON](zendframework#279) - [291: OpenId tests are failing](zendframework#291) - [296: Missing locale file '/***/Zend/Locale/Data/zh&zendframework#95;CN.xml' for 'zh&zendframework#95;CN' locale.](zendframework#296) - [297: Rely on the autoloader to load PHPUnit&zendframework#95;Runner&zendframework#95;Version and PHPUnit&zendframework#95;Autoload](zendframework#297) - [299: Minute format in docstring fixed](zendframework#299) - [301: 'Undefined variable: log' in &zendframework#91;...&zendframework#92;/library/Zend/Application/Resource/Translate.php on line 93](zendframework#301) - [304: fixes zendframework#303 Allow zero count in assertQueryCount](zendframework#304) - [307: Aliases for Zend&zendframework#95;Locale](zendframework#307) - [311: Fixed the Zend&zendframework#95;Auth&zendframework#95;Adapter&zendframework#95;OpenIdTest tests](zendframework#311) - [320: DB tests are enabled for Travis and fixed to be passing](zendframework#320)
Zend Framework 1.12.5 - [278: fixes zendframework#162. Back porting with a cut and paste](zendframework#278) - [287: Zend&zendframework#95;Validate&zendframework#95;File&zendframework#95;Extension: Undefined index: extension](zendframework#287) - [291: OpenId tests are failing](zendframework#291) - [292: parse error, expecting `')'' in C:\wamp\zend\ZendFramework-1.12.4\library\Zend\Xml\Security.php on line 76](zendframework#292) - [293: Anonymous function rewritten as static one to maintain compatibility with PHP 5.2](zendframework#293)
Zend Framework 1.12.4
=====================
SECURITY FIXES FOR 1.12.4
-------------------------
- **ZF2014-01:** Potential XXE/XEE attacks using PHP functions:
`simplexml_load_*`, `DOMDocument::loadXML`, and `xml_parse`. A new component,
`Zend_Xml`, was introduced to mitigate XML eXternal Entity and XML Entity
Expansion vectors that are present in older versions of libxml2 and/or PHP.
Components that could contain these vectors include:
- `Zend_Amf`
- `Zend_Config`
- `Zend_Dom`
- `Zend_Feed`
- `Zend_Gdata`
- `Zend_Json`
- `Zend_Locale`
- `Zend_Mobile_Push`
- `Zend_Rest_Client`
- `Zend_Search_Lucene`
- `Zend_Serializer_Adapter_Wddx`
- `Zend_Service_Amazon`
- `Zend_Service_AudioScrobbler`
- `Zend_Service_Delicious`
- `Zend_Service_Ebay`
- `Zend_Service_Flickr`
- `Zend_Service_SlideShare`
- `Zend_Service_SqlAzure`
- `Zend_Service_Technorati`
- `Zend_Service_WindowsAzure`
- `Zend_Service_Yahoo`
- `Zend_Soap`
- `Zend_Translate`
If you use one or more of these components, we strongly urge that you upgrade
immediately.
- **ZF2014-02:** Potential security issue in login mechanism of `Zend_OpenId`
consumer. Using the Consumer component in conjunction with a malicious OpenID
provider, one could login to a service using an arbitrary OpenID Identity
without requiring credentials, allowing impersonation of an OpenID Identity.
If you use this component, we strongly urge that you upgrade immediately.
IMPORTANT FIXES FOR 1.12.4
--------------------------
- [zendframework#221](zendframework#221) removes the TinySrc view
helper, as the TinySrc service no longer exists.
- [zendframework#222](zendframework#222) removes the InfoCard
component, as the CardSpace service no longer exists.
- [zendframework#271](zendframework#271) removes the Nirvanix
component, as the Nirvanix service shut down in October 2013.