The Zend Framework team announces the immediate availability of Zend
Framework’s 1.11.12 release, the twelfth maintenance release in the 1.11
series.
This release includes an important security fix for Zend_XmlRpc; if you
are using Zend_XmlRpc, we strongly urge you to upgrade immediately. More
information is included below, under the heading "Security Announcement."
1.11.12 includes almost 80 bug fixes and may be downloaded from the Zend
Framework site:
http://framework.zend.com/download/latest
For a full list of resolved issues, you can visit the changelog:
http://framework.zend.com/changelog/1.11.12
I’d like to thank everyone who contributed code to this release, including those
who submitted patches, translated documentation, or reported issues. In
particular, Adam Lundrigan and Frank Brückner have contributed a huge
number of fixes and improvements.
Security Announcement
---------------------
Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection
attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in
an insecure way to parse XML data. External entities can be specified by
adding a specific DOCTYPE element to XML-RPC requests. By exploiting
this vulnerability an application may be coerced to open arbitrary files
and/or TCP connections.
The Request and Response implementations in Zend_XmlRpc were patched to
ensure libxml_disable_entity_loader() is invoked prior to instantiating
any SimpleXML objects. This disables XXE parsing, and thus disables the
attack vector.
This patch has been applied starting in versions 1.11.12 and 1.12.0 of
Zend Framework, and has been ported to the upcoming version 2.0.0
development branch (and will be included starting with the 2.0.0beta5
release).
The Zend Framework team thanks the following for working with us to help
protect its users:
* Johannes Greil
* Kestutis Gudinavicius
--
Matthew Weier O'Phinney
Project Lead | [email protected]
Zend Framework | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
