The security fix included in both 1.11.6 and 1.10.9 is a patch to the
Zend_Db MySQL PDO adapter to pass the requested character set as part of
the PDO DSN in PHP versions 5.3.6 and above. This addresses a potential
SQL injection vulnerability when using non-ASCII-compatible character
sets; for more information, please read the security advisory:
in detail. We'd like to thank Anthony Ferrara for alerting us to the
issue and advising us.
An additional fix was made in 1.11.6 to Zend_Filter_HtmlEntities. In
circumstances where input utilizes a different character set than that
passed to PHP's `htmlentities()` function, the function will return an
empty string if it encounters characters not understood by the specified
character set. As an example:
$filtered = htmlentities($input, null, 'UTF-8');
will result in an empty string if $input contains latin-1 characters not
understood by UTF-8 (as an example, a latin-1 emdash character). This
can lead to conditions where valid input now no longer is (e.g., if it
passed a !StringLength filter previously). We are not creating a
security advisory for this as there is no general vulnerability;
nevertheless, we patched 1.11.6 to address the issue (by casting to the
filter's encoding using iconv() if htmlentities() returns an empty
string). We'd like to thank Kevin MacArthur for alerting us to the issue
and assisting us in patching it.
A number of website improvements have been made for this release. First,
as reported with our previous 1.11.5 release, we are now using DocBlox
(http://www.docblox-project.org/) for rendering our API documentation.
Mike van Riel has been busy incorporating feedback this past month, and
this should be reflected in the API documentation for the
Second, Hector Virgen submitted some CSS and navigation enhancements for
the Zend Framework online manual, and these are now incorporated into
Finally, I'd like to thank everyone who contributed to this past month's
Bug Hunt Days. We had tremendous success this month, and actually
patched more than 60 issues -- and resolved more than 80! Keep up the
great work, everyone!