Good question. We will not be incrementing the release number. This might cause confusion for 2 reasons: no release was actually built and offered on the site, and it would blur our policy of leaving old releases branches completely behind. Obviously we’re making an exception for security patches on the second point, although as a community we should really be putting the effort in to testing BC so that few people will have to take advantage of this update method. So, for these reasons, we’d prefer to use the patch convention: 1.7.7-p1, for example.
Matthew will be creating a p2 tag later today, and may create a p1 tag next week (there shouldn’t be anyone who should need this tag at this point + it is complicated by the commit order of the backports). As always, thanks for the feedback! ,Wil From: Bradley Holt [mailto:[email protected]] Sent: Friday, March 20, 2009 12:22 PM To: Wil Sinclair Cc: [email protected] Subject: Re: [fw-general] SECURITY ADVISORY Wil, We have one project that is running on a client's RHEL server and are using ZF 1.6.2 due to compatibility issues. I see that these fixes have been backported to the release-1.6 branch but no new tag was created (the last tag in 1.6 is 1.6.2 last updated on 10/12/2008). Wouldn't it be appropriate to create a new 1.6.3 tag with this backported fix? If not, I can simply switch my svn:externals to use the branch instead of a tag but it just seems more appropriate for me to use tags instead of branches in my svn:externals. Thanks, Bradley On Thu, Mar 19, 2009 at 4:56 PM, Wil Sinclair <[email protected]> wrote: The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class. Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose which tags and specific attributes of those tags to keep. The XSS attack vector was due to a bug in matching HTML tag attributes to retain. If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters, the attribute would always be included in the final output- even if it was not marked to retain. A security fix has been created and released with Zend Framework 1.7.7. Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches. The Zend Framework team strongly recommends upgrading to version 1.7.7. If you cannot upgrade at this time, we recommend exporting from the release branch matching the minor release you are currently using, or downloading the file listed below and pushing it into your Zend Framework installation. http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php Thank you. ,Wil -- Bradley Holt [email protected]
