This release includes a security fix for
Zend\Session\Validator\RemoteAddr; if you use either of these classes,
we urge you to upgrade to 2.2.5 immediately.
We've not had a release in a couple of months, due to an exciting
development: Zend's Zend Framework team has announced an initial
preview release of Apigility, an API builder and management tool,
built on top of Zend Framework 2! If you are building APIs or plan to
in the future, we encourage you to check out this tool and help drive
it toward a stable release!
A developer reported a problem with how we were handling situations
when Zend\Http\PhpEnvironment\RemoteAddress was configured to use
proxies, had a list of trusted proxies, $_SERVER['REMOTE_ADDR'] was
not in that list of trusted proxies. Essentially, we were still
consulting the X-Forwarded-For header in this situation, but should
have been used the provided $_SERVER['REMOTE_ADDR'], according to the
2.2.5 fixes this situation. If you use that class, or
Zend\Session\Validator\RemoteAddr, you should upgrade immediately.
For more details, visit the ZF2013-04 security advisory: