Changelog History
Page 1
-
v3.0.0 Changes
June 28, 2016- ๐ Read the migration documentation.
- ๐ Read the recommended quick start
- ๐ฆ Marks the package as a Composer metapackage; this means the package itself
will not be installed, only the requirements it defines. - โก๏ธ Updates the minimum supported PHP version to 5.6.
- ๐ Updates all components to latest versions, including v3 releases where
present. Also adds the following components:- zend-mvc-console
- zend-mvc-plugins
- zend-mvc-form
- zend-mvc-i18n
- zend-json-server
- zend-xml2json
- zend-diactoros
- zend-stratigility
- zend-psr7bridge
- zend-hydrator
- zend-servicemanager-di
- โ Removes all
bin/*
scripts.
-
v2.5.3 Changes
June 28, 2016- โก๏ธ #7665 updates component version constraints from
~2.5.0
to^2.5
to ensure the latest security updates are always installed.
- โก๏ธ #7665 updates component version constraints from
-
v2.5.2 Changes
August 03, 2015โก๏ธ SECURITY UPDATES
- ZF2015-06:
ZendXml
runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.
If you use Zend Framework components that utilize
DOMDocument
orSimpleXML
(which includesZend\XmlRpc
,Zend\Soap
,Zend\Feed
, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately. - ZF2015-06:
-
v2.5.1 Changes
June 04, 2015- โฌ๏ธ #7571 makes
zend-ldap
an optional dependency instead of a hard dependency, aszend-ldap
has a hard requirement onext-ldap
, blocking installation for many users. If you usezend-ldap
, you will need to callcomposer require zendframework/zend-ldap
after upgrading to 2.5.1.
- โฌ๏ธ #7571 makes
-
v2.4.13 Changes
July 13, 2017- โช Restores php 5.3 compat in Zend\Mail\Header\HeaderValue.
-
v2.4.12 Changes
June 19, 2017- ๐ Fix signature issue with AbstractContainer::offsetGet
-
v2.4.11 Changes
December 20, 2016โก๏ธ SECURITY UPDATES
- ZF2016-04 : zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of
From
addresses containing escape sequences were present. This release adds additional validation and filtering of these addresses to prevent the vulnerability.
- ZF2016-04 : zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of
-
v2.4.10 Changes
June 28, 2016- ๐ Fix HeaderValue throwing an exception on legal characters
-
v2.4.9 Changes
November 23, 2015โก๏ธ SECURITY UPDATES
ZF2015-09 :
Zend\Captcha\Word
generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internalarray_rand()
function. This function does not generate sufficient entropy due to its usage ofrand()
instead of more cryptographically secure methods such asopenssl_pseudo_random_bytes()
. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces thearray_rand()
calls to useZend\Math\Rand::getInteger()
, which provides better RNG.ZF2015-10 :
Zend\Crypt\PublicKey\Rsa\PublicKey
has a call toopenssl_public_encrypt()
which used PHP's default$padding
argument, which specifiesOPENSSL_PKCS1_PADDING
, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to useOPENSSL_PKCS1_OAEP_PADDING
.Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant
OPENSSL_PKCS1_PADDING
to a new$padding
argument inZend\Crypt\PublicKey\Rsa::encrypt()
anddecrypt()
(though typically this should only apply to the latter):$decrypted = $rsa-\>decrypt($data, $key, $mode, OPENSSL\_PKCS1\_PADDING);
where
$rsa
is an instance ofZend\Crypt\PublicKey\Rsa
.0๏ธโฃ (The
$key
and$mode
argument defaults arenull
andZend\Crypt\PublicKey\Rsa::MODE_AUTO
, if you were not using them previously.)