Zend Framework 1.11.12 Released!

June 25, 2012

News, Zend Framework

The Zend Framework team announces the immediate availability of Zend Framework’s 1.11.12 release, the twelfth maintenance release in the 1.11 series.

This release includes an important security fix for Zend_XmlRpc; if you are using Zend_XmlRpc, we strongly urge you to upgrade immediately. More information is included below, under the heading “Security Announcement.”

1.11.12 includes almost 80 bug fixes and may be downloaded from the Zend Framework site:

For a full list of resolved issues, you can visit the changelog:

I’d like to thank everyone who contributed code to this release, including those who submitted patches, translated documentation, or reported issues. In particular, Adam Lundrigan and Frank Brückner have contributed a huge number of fixes and improvements.

Security Announcement

Zend_XmlRpc is vulnerable to XML eXternal Entity (XXE) Injection attacks. The SimpleXMLElement class (SimpleXML PHP extension) is used in an insecure way to parse XML data. External entities can be specified by adding a specific DOCTYPE element to XML-RPC requests. By exploiting this vulnerability an application may be coerced to open arbitrary files and/or TCP connections.

The Request and Response implementations in Zend_XmlRpc were patched to ensure libxml_disable_entity_loader() is invoked prior to instantiating any SimpleXML objects. This disables XXE parsing, and thus disables the attack vector.

This patch has been applied starting in versions 1.11.12 and 1.12.0 of Zend Framework, and has been ported to the upcoming version 2.0.0 development branch (and will be included starting with the 2.0.0beta5 release).

The Zend Framework team thanks the following for working with us to help
protect its users:

  • Johannes Greil
  • Kestutis Gudinavicius
,

About Matthew Weier O'Phinney

Matthew is an open source software architect, specializing in PHP. He is currently project lead for Zend Framework, a project with which he has been involved since before the first public preview release. He is a Zend Certified Engineer, and a member of the Zend Education Advisory Board, the group responsible for authoring the Zend Certification Exam. He contributes to a number of open source projects, blogs on PHP-related topics, and presents talks and tutorials related to PHP development and the projects to which he contributes. You can read more of his thoughts on his blog, weierophinney.net/matthew/.

View all posts by Matthew Weier O'Phinney

3 Responses to “Zend Framework 1.11.12 Released!”

  1. Brian Says:

    The link to the changelog take you to the changelog for 1.11.11 even though the url is http://framework.zend.com/changelog/1.11.12

Trackbacks/Pingbacks

  1. Hey, All your SimpleXML powered sites belong to us. - July 10, 2012

    [...] http://devzone.zend.com/2397/zend-framework-1-11-12-released/ [...]

  2. Zend Framework 1.11.12 Released - Zend Framework Forum - ZF1 / ZF2 - June 26, 2012

    [...] Zend Framework 1.11.12 Released Matthew Weier O'Phinney hat die neue Version 1.11.12 angekündigt, denn es gab einige Fehlerbehebungen zum Thema Sicherheit in der „Zend_XmlRpc“-Komponenten. Wer diese Komponenten in seiner Anwendung verwendet, dem wird unbedingt ein Update empfohlen. DevZone [...]

Leave a Reply

You must be logged in to post a comment.