Quantcast

Zend Framework 1.11.6 and 1.10.9 released

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Zend Framework 1.11.6 and 1.10.9 released

weierophinney
Administrator
The Zend Framework team announces the immediate availability of Zend
Framework 1.11.6, our sixth maintenance release in the 1.11 series, and
a simultaneous release of 1.10.9, a security fix release.

1.11.6 includes more than 60 bug fixes and may be downloaded from the
Zend Framework site:

    http://framework.zend.com/download/latest

For a full list of resolved issues, you can visit the changelog:

    http://framework.zend.com/changelog/1.11.6

1.10.6 includes one security fix, and may be downloaded from our
Zend Framework release archives:

    http://framework.zend.com/download/archives

The security fix included in both 1.11.6 and 1.10.9 is a patch to the
Zend_Db MySQL PDO adapter to pass the requested character set as part of
the PDO DSN in PHP versions 5.3.6 and above.  This addresses a potential
SQL injection vulnerability when using non-ASCII-compatible character
sets; for more information, please read the security advisory:

    http://framework.zend.com/security/advisory/ZF2011-02

in detail. We'd like to thank Anthony Ferrara for alerting us to the
issue and advising us.

An additional fix was made in 1.11.6 to Zend_Filter_HtmlEntities. In
circumstances where input utilizes a different character set than that
passed to PHP's `htmlentities()` function, the function will return an
empty string if it encounters characters not understood by the specified
character set. As an example:

    $filtered = htmlentities($input, null, 'UTF-8');

will result in an empty string if $input contains latin-1 characters not
understood by UTF-8 (as an example, a latin-1 emdash character). This
can lead to conditions where valid input now no longer is (e.g., if it
passed a !StringLength filter previously). We are not creating a
security advisory for this as there is no general vulnerability;
nevertheless, we patched 1.11.6 to address the issue (by casting to the
filter's encoding using iconv() if htmlentities() returns an empty
string). We'd like to thank Kevin MacArthur for alerting us to the issue
and assisting us in patching it.

A number of website improvements have been made for this release. First,
as reported with our previous 1.11.5 release, we are now using DocBlox
(http://www.docblox-project.org/) for rendering our API documentation.
Mike van Riel has been busy incorporating feedback this past month, and
this should be reflected in the API documentation for the
1.11.6 release.

Second, Hector Virgen submitted some CSS and navigation enhancements for
the Zend Framework online manual, and these are now incorporated into
the site.

Finally, I'd like to thank everyone who contributed to this past month's
Bug Hunt Days. We had tremendous success this month, and actually
patched more than 60 issues -- and resolved more than 80! Keep up the
great work, everyone!

--
Matthew Weier O'Phinney
Project Lead            | [hidden email]
Zend Framework          | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Loading...