Zend Framework 2.4.13

• Restores php 5.3 compat in Zend\Mail\Header\HeaderValue.

Zend Framework 2.4.12

• Fix signature issue with AbstractContainer::offsetGet

Zend Framework 2.4.11

SECURITY UPDATES

• ZF2016-04: zend-mail contained a potential remote code execution vector via the Sendmail transport adapter when the local part of From addresses containing escape sequences were present. This release adds additional validation and filtering of these addresses to prevent the vulnerability.

Zend Framework 3.0.0

• Read the migration documentation.
• Read the recommended quick start
• Marks the package as a Composer metapackage; this means the package itself
  will not be installed, only the requirements it defines.
• Updates the minimum supported PHP version to 5.6.
• Updates all components to latest versions, including v3 releases where
  present. Also adds the following components:
  • zend-mvc-console
  • zend-mvc-plugins
  • zend-mvc-form
  • zend-mvc-i18n
  • zend-json-server
  • zend-xml2json
  • zend-diactoros
  • zend-stratigility
  • zend-psr7bridge
  • zend-hydrator
  • zend-servicemanager-di
• Removes all bin/* scripts.

Zend Framework 2.4.10

• Fix HeaderValue throwing an exception on legal characters

Zend Framework 2.5.3

• #7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

Zend Framework 2.4.9

SECURITY UPDATES

• ZF2015-09: Zend\Captcha\Word generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP's internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes(). This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.

• ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP's default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the Bleichenbacher's chosen-ciphertext attack, which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

  Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter):

  $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);

  where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

  (The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

Zend Framework 2.4.8

• zend-validator/25: validate against DateTimeImmutable instead of DateTimeInterface
• zend-validator/35: treat 0.0 as non-empty, restoring pre-2.4 behavior
• zend-inputfilter/26: deprecate "magic" logic for auto-attaching NonEmpty validators in favor of explicit attachment
• zend-inputfilter/22: ensure fallback values work as per pre-2.4 behavior
• zend-inputfilter/31: update the InputFilterInterface::add() docblock to match implementations
• zend-inputfilter/25: Fix how missing optoinal fields are validated to match pre 2.4.0 behavior
• zend-form/12: deprecate AllowEmpty and ContinueIfEmpty annotations, per zend-inputfilter#26
• zend-form/9: fix typos in aria attribute names of AbstractHelper
• zend-mail/26: fixes the ContentType header to properly handle encoded parameter values
• zend-mail/11: fixes the Sender header to allow mailbox addresses without TLDs
• zend-mail/24: fixes parsing of messages that contain an initial blank line before headers
• zend-http/23: fixes the SetCookie header to allow multiline values (as they are always encoded)
• zend-mvc/27: fixes DefaultRenderingStrategy errors due to controllers returning non-view model results

SECURITY UPDATES

• ZF2015-07: The filesystem storage adapter of Zend\Cache was creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).

Zend Framework 2.4.7

• 15: validateInputs must allow ArrayAccess for $data

Zend Framework 2.5.2

SECURITY UPDATES

• ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

  If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.