All Versions
Latest Version
Avg Release Cycle
83 days
Latest Release
2410 days ago

Changelog History
Page 1

  • v3.0.0 Changes

    June 28, 2016
    • ๐Ÿ“š Read the migration documentation.
    • ๐Ÿ“„ Read the recommended quick start
    • ๐Ÿ“ฆ Marks the package as a Composer metapackage; this means the package itself
      will not be installed, only the requirements it defines.
    • โšก๏ธ Updates the minimum supported PHP version to 5.6.
    • ๐Ÿš€ Updates all components to latest versions, including v3 releases where
      present. Also adds the following components:
      • zend-mvc-console
      • zend-mvc-plugins
      • zend-mvc-form
      • zend-mvc-i18n
      • zend-json-server
      • zend-xml2json
      • zend-diactoros
      • zend-stratigility
      • zend-psr7bridge
      • zend-hydrator
      • zend-servicemanager-di
    • โœ‚ Removes all bin/* scripts.
  • v2.5.3 Changes

    June 28, 2016
    • โšก๏ธ #7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.
  • v2.5.2 Changes

    August 03, 2015


    • ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

    If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

  • v2.5.1 Changes

    June 04, 2015
    • โฌ†๏ธ #7571 makes zend-ldap an optional dependency instead of a hard dependency, as zend-ldap has a hard requirement on ext-ldap, blocking installation for many users. If you use zend-ldap, you will need to call composer require zendframework/zend-ldap after upgrading to 2.5.1.
  • v2.4.13 Changes

    July 13, 2017
    • โช Restores php 5.3 compat in Zend\Mail\Header\HeaderValue.
  • v2.4.12 Changes

    June 19, 2017
    • ๐Ÿ›  Fix signature issue with AbstractContainer::offsetGet
  • v2.4.11 Changes

    December 20, 2016


    • ZF2016-04 : zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of From addresses containing escape sequences were present. This release adds additional validation and filtering of these addresses to prevent the vulnerability.
  • v2.4.10 Changes

    June 28, 2016
    • ๐Ÿ›  Fix HeaderValue throwing an exception on legal characters
  • v2.4.9 Changes

    November 23, 2015


    ZF2015-09 : Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.

    ZF2015-10 : Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

    Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

    $decrypted = $rsa-\>decrypt($data, $key, $mode, OPENSSL\_PKCS1\_PADDING);

    where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

    0๏ธโƒฃ (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)