Tags: gold22/zf1
Tags
Zend Framework 1.12.20 **This release contains security updates:** - **ZF2016-03:** The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` remained prone to SQL injection when a combination of SQL expressions and comments were used. This release provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur. We advise always filtering user input prior to invoking these methods, however, to further protect your applications.
Zend Framework 1.12.19 Security Updates ---------------- - **ZF2016-02**: The implementation of `ORDER BY` and `GROUP BY` in `Zend_Db_Select` contained potential SQL injection vulnerabilities, and have been patched.
Zend Framework 1.12.18 - [575: Please Remove YouTube Zend GData Page](zendframework#575) - [607: PHP7 debug&zendframework#95;backtrace BC break](zendframework#607) - [628: Solve problem with subqueries in SELECT block](zendframework#628) - [637: List-separator attribute is not being unset for MultiCheckboxes due to a typo.](zendframework#637) - [641: Wrong regex pattern in Zend&zendframework#95;Validate&zendframework#95;Iban class](zendframework#641) - [647: VERSION constant incorrect for 1.12.17 release tag.](zendframework#647) - [649: ZF2015-09: The Zend&zendframework#95;Crypt&zendframework#95;MathTest should run on PHP 5.2/5.3](zendframework#649) - [651: Update Vagrantfile to use Rasmus' php7 box](zendframework#651) - [655: ZF2015-08 breaks binary data ](zendframework#655) - [656: zf1-extra is missing in release-1.12.17](zendframework#656) - [670: Fix for 655 issue](zendframework#670) - [677: Wrong PHPDoc in Zend&zendframework#95;Mail](zendframework#677) - [679: Non-existing method getRequired() in Zend&zendframework#95;Form-Elements docs](zendframework#679) - [683: Zend&zendframework#95;Form&zendframework#95;Element&zendframework#95;Button::isChecked has wrong documentation](zendframework#683) SECURITY UPDATES ---------------- - **ZF2016-01**: A number of classes, including `Zend_Filter_Encrypt`, `Zend_Form_Element_Hash`, `Zend_Gdata_HttpClient`, `Zend_Ldap_Attribute`, and `Zend_OpenId`, were using randomization methods with insufficient entropy. They have been updated to each use `Zend_Crypt_Math`, and the latter was updated to use PHP 7's `random_bytes()` and `random_int()` where feasible.
Zend Framework 1.12.17 - [zendframework#638](zendframework#638) Fixes null byte tests in `Zend_Db_Adapter_Pdo` - [zendframework#632](zendframework#632) Updates the TLD list for `Zend_Validate_Hostname` to version 2015102801. SECURITY UPDATES ---------------- - **ZF2015-09**: `Zend_Captcha_Word` generates a "word" for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this version, the selection was performed using PHP's internal `array_rand()` function. This function does not generate sufficient entropy due to its usage of `rand()` instead of more cryptographically secure methods such as `openssl_pseudo_random_bytes()`. This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release updates `Zend_Crypt_Math` to provide cryptographically secure RNG, and updates `Zend_Captcha_Word` to use these new facilities.
PreviousNext