The Zend Framework team announces the immediate availability of Zend Framework
1.11.6, our sixth maintenance release in the 1.11 series, and a simultaneous
release of 1.10.9, a security fix release.
1.11.6 includes more than 60 bug fixes and may be downloaded from the
Zend Framework site.
For a full list of resolved issues, you can visit the changelog:
1.10.9 includes one security fix, and may be downloaded from our
Zend Framework release archives.
The security fix included in both 1.11.6 and 1.10.9 is a patch to the
MySQL PDO adapter to pass the requested character set as part of the PDO DSN in
PHP versions 5.3.6 and above. This addresses a potential SQL injection
vulnerability when using non-ASCII-compatible character sets; for more
information, please read
the security advisory
in detail. We’d like to thank Anthony Ferrara for alerting us to the issue and
An additional fix was made in 1.11.6 to
circumstances where input utilizes a different character set than that passed to
htmlentities() function, the function will return an empty string if it
encounters characters not understood by the specified character set. As an
$filtered = htmlentities($input, null, 'UTF-8');
will result in an empty string if
$input contains latin-1 characters not
understood by UTF-8 (as an example, a latin-1 emdash character). This can lead
to conditions where valid input now no longer is (e.g., if it passed a
StringLength filter previously). We are not creating a security advisory for
this as there is no general vulnerability; nevertheless, we patched 1.11.6 to
address the issue (by casting to the filter’s encoding using
htmlentities() returns an empty string). We’d like to thank Kevin MacArthur
for alerting us to the issue and assisting us in patching it.
A number of website improvements have been made for this release. First, as
reported with our previous 1.11.5 release, we are now using
DocBlox for rendering our API documentation.
Mike van Riel has been busy incorporating feedback
this past month, and this should be reflected in the API documentation for the
Second, Hector Virgen submitted some CSS and
navigation enhancements for the Zend Framework online manual, and these are now
incorporated into the site.
Finally, I’d like to thank everyone who contributed to this past month’s Bug
Hunt Days. We had tremendous success this month, and actually patched more than
60 issues — and resolved more than 80! Keep up the great work, everyone!