Zend Framework 1.12.0RC3 Released

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Zend Framework 1.12.0RC3 Released

akrabat
Hi all,

We are pleased to announce the availability of 1.12.0.RC3 which is (hopefully!) the last RC.

This release updates Zend_Mobile_Push to support GCM and Zend_Gdata_Analytics to support API v2.4.

It also contains a small number of additional bug fixes to the
Zend_Service_Rackspace component.


You may download the RC3 from the Downloads section of the website:

   http://framework.zend.com/download/latest

(The RC releases are under the stable releases.)


Please test this release and report any urgent issues immediately so
that we may correct them in the final release.

Significant changes in Zend Framework 1.12
==========================================

* Addition of Zend_Loader_Autoloader and Zend_Loader_ClassMapAutoloader
* Addition of Zend_EventManager
* Addition of Zend_Http_UserAgent_Features_Adapter_Browscap
* Addition of Zend_Mobile_Push
* Addition of Zend_Gdata_Analytics
* Removal of Zend_Http_UserAgent_Features_Adapter_WurflApi
* Over 200 bug fixes!

For full details please see the announcement for ZF 1.12.0RC1 here:

http://zend-framework-community.634137.n4.nabble.com/Zend-Framework-1-12-0RC1-Released-td4655326.html


Security Announcement
=====================

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection
attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in
an insecure way to parse XML data. External entities can be specified by
adding a specific DOCTYPE element to XML-RPC requests. By exploiting
this vulnerability an application may be coerced to open arbitrary files
and/or TCP connections.

The Request and Response implementations in Zend_XmlRpc were patched to
ensure libxml_disable_entity_loader() is invoked prior to instantiating
any SimpleXML objects. This disables XXE parsing, and thus disables the
attack vector.

This patch has been applied starting in versions 1.11.12 and 1.12.0 of
Zend Framework, and has been ported to the upcoming version 2.0.0
development branch (and will be included starting with the 2.0.0beta5
release).

The Zend Framework team thanks the following for working with us to help
protect its users:

* Johannes Greil
* Kestutis Gudinavicius



Download it today!
==================

We'd appreciate your feedback on this RC. Please download and
test it, and let us know what issues you encounter. You can add new issues
to http://framework.zend.com/issues 



Regards,

Rob...


--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: [zf-contributors] Zend Framework 1.12.0RC3 Released

Sascha-Oliver Prolic
2012/7/31 Rob Allen <[hidden email]>:

> Hi all,
>
> We are pleased to announce the availability of 1.12.0.RC3 which is (hopefully!) the last RC.
>
> This release updates Zend_Mobile_Push to support GCM and Zend_Gdata_Analytics to support API v2.4.
>
> It also contains a small number of additional bug fixes to the
> Zend_Service_Rackspace component.
>
>
> You may download the RC3 from the Downloads section of the website:
>
>    http://framework.zend.com/download/latest
>
> (The RC releases are under the stable releases.)
>
>
> Please test this release and report any urgent issues immediately so
> that we may correct them in the final release.
>
> Significant changes in Zend Framework 1.12
> ==========================================
>
> * Addition of Zend_Loader_Autoloader and Zend_Loader_ClassMapAutoloader
> * Addition of Zend_EventManager
> * Addition of Zend_Http_UserAgent_Features_Adapter_Browscap
> * Addition of Zend_Mobile_Push
> * Addition of Zend_Gdata_Analytics
> * Removal of Zend_Http_UserAgent_Features_Adapter_WurflApi
> * Over 200 bug fixes!
>
> For full details please see the announcement for ZF 1.12.0RC1 here:
>
> http://zend-framework-community.634137.n4.nabble.com/Zend-Framework-1-12-0RC1-Released-td4655326.html
>
>
> Security Announcement
> =====================
>
> Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection
> attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in
> an insecure way to parse XML data. External entities can be specified by
> adding a specific DOCTYPE element to XML-RPC requests. By exploiting
> this vulnerability an application may be coerced to open arbitrary files
> and/or TCP connections.
>
> The Request and Response implementations in Zend_XmlRpc were patched to
> ensure libxml_disable_entity_loader() is invoked prior to instantiating
> any SimpleXML objects. This disables XXE parsing, and thus disables the
> attack vector.
>
> This patch has been applied starting in versions 1.11.12 and 1.12.0 of
> Zend Framework, and has been ported to the upcoming version 2.0.0
> development branch (and will be included starting with the 2.0.0beta5
> release).
>
> The Zend Framework team thanks the following for working with us to help
> protect its users:
>
> * Johannes Greil
> * Kestutis Gudinavicius
>
>
>
> Download it today!
> ==================
>
> We'd appreciate your feedback on this RC. Please download and
> test it, and let us know what issues you encounter. You can add new issues
> to http://framework.zend.com/issues
>
>
>
> Regards,
>
> Rob...
>

Hi,

this issue is not merged in RC3:
http://framework.zend.com/issues/browse/ZF-12330

Regards

Sascha

--
Sascha-Oliver Prolic

--
List: [hidden email]
Info: http://framework.zend.com/archives
Unsubscribe: [hidden email]