The Zend Framework community is pleased to announce the immediate
availability of three new releases: 2.1.4, 2.0.8, and 1.12.3! Packages
and installation instructions are available at:
http://framework.zend.com/downloads/latest
The ZF2 releases include three security updates, and all ZF versions
also include updates to the Twitter component to follow the Twitter v1.1
API, which is not backwards compatible with previous versions.
Security Fixes
==============
2.1.4 and 2.0.8 contain three security fixes.
Query Route
-----------
We were alerted to the fact that the Query route could override
parameters matched in parent routes, effectively bypassing constraints
defined. In particular, this could result in overriding the controller
or action matched by a given route.
The query route was deprecated, as a replacement exists within the HTTP
router itself. You can pass a "query" option to the assemble method
containing either the query string or an array of key-value pairs:
$url = $router->assemble(array(
'name' => 'foo',
), array(
'query' => array(
'page' => 3,
'sort' => 'DESC',
),
// or: 'query' => 'page=3&sort=DESC'
));
// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' =>
$request->getQuery()));
Additionally, the merging of query parameters into the route match was
removed entirely. Please use the query container of the request object
instead.
For more information on the security vector, please see ZF2013-01:
http://framework.zend.com/security/advisory/ZF2013-01
Random Number Generation
------------------------
The Zend\Math\Rand component generates random bytes using the OpenSSL or
Mcrypt extensions when available but will otherwise use PHP's mt_rand()
function as a fallback. All outputs from mt_rand() are predictable for
the same PHP process if an attacker can brute force the seed - which can
be done if the attacker has access to a random number generated by
mt_rand() or the session ID (if generated without using additional
entropy).
Zend Framework have revised the Zend\Math\Rand component to replace the
current mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's
RandomLib, incorporating an additional entropy source based on source
code published by George Argyros. The new fallback collects entropy from
numerous sources other than PHP's internal seed mechanism and extracts
random bytes from the resulting mixed entropy pool.
For more information on this security vector, please see ZF2013-02:
http://framework.zend.com/security/advisory/ZF2013-02
Database Platform Quoting
-------------------------
Altered Zend\Db to throw notices when insecure usage of the following
methods is called:
- Zend\Db\Adapter\Platform\*::quoteValue*()
- Zend\Db\Sql\*::getSqlString*()
Fixed Zend\Db Platform objects to use driver level quoting when
provided, and throw E_USER_NOTICE when not provided. Added
quoteTrustedValue() API for notice-free value quoting. Fixed all
userland quoting in Platform objects to handle a wider array of
escapable characters.
For more information on this security vector, please see ZF2013-03:
http://framework.zend.com/security/advisory/ZF2013-02
Twitter API Updates
===================
Twitter has begun sunsetting its v1.0 API, and has introduced rolling
blackouts in order to prompt developers to move to the v1.1 API.
Unfortunately, v1.1 is not backwards compatible with v1.0, so a number
of backwards-breaking changes need to be made.
Version 2.1.0 of ZendService_Twitter and version 1.12.3 of Zend
Framework have been released with support for v1.1 of the Twitter API. A
number of service endpoints were removed, and others moved to new
namespaces. As such, if you use the component, you are urged to upgrade,
and we encourage you to read the documentation to see what methods are
now available, and how to use OAuth access tokens with the service.
Polyfill Support Fixes
======================
Polyfills (version-specific class replacements) have caused some issues
in the 2.1 series for users of Zend\Stdlib and Zend\Session. In
particular, users who were not using Composer were unaware/uncertain
about what extra files needed to be included to load polyfills, and
those users who were generating classmaps were running into issues since
the same class was being generated twice.
New polyfill support was created which does the following:
- New, uniquely named classes were created for each polyfill base.
- A stub class file was created for each class needing polyfill support.
A conditional is present in each that uses class_alias to alias the
appropriate polyfill base as an import. The stub class then extends
the base.
- The compatibility/autoload.php file in each component affected was
altered to trigger an E_USER_DEPRECATED error asking the user to
remove the require statement for the file.
The functionality works with both Composer and ZF2's autoloading
support, using either PSR-0 or classmaps. All typehinting is preserved.
Changelog
=========
Below are links to the changelogs for each version.
http://framework.zend.com/changelog/2.1.4
http://framework.zend.com/changelog/2.0.8
http://framework.zend.com/changelog/1.12.3
Thank You!
==========
I'd like to thank our many contributors to this release. In particular,
Pádraic Brady and Enrico Zimuel for researching and implementing the
Random Number Generator vulnerability and fixes; Ben Scholzen for
implementing fixes for the Query route; Ralph Schindler, for his fixes
for the database platform quoting vulnerabilities; and Mike Willbanks,
for continuing to work on solutions for session storage and timing
issues.
Roadmap
=======
Maintenance releases happen monthly on the third Wednesday; expect
version 2.1.5 to drop 17 April 2013. We're also gearing up for version
2.2.0, which we are targetting at the end of April 2013/early May.
--
Matthew Weier O'Phinney
Project Lead | [email protected]
Zend Framework | http://framework.zend.com/
PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc
--
List: [email protected]
Info: http://framework.zend.com/archives
Unsubscribe: [email protected]
