The Zend Framework team announces the immediate availability of three versions of Zend Framework: 1.9.7, 1.8.5, and 1.7.9. In addition to over 40 bugfixes between them, these three releases are the first releases following announcement of our new security policy, and resolve six security vulnerabilities reported against Zend Framework in recent weeks. We highly recommend upgrading to the latest version of Zend Framework.
You may download it from the Zend Framework site.
During the month of December, one of our contributors, Pádraic Brady, performed a preliminary security audit of the framework, and worked with the Zend Framework team to confirm the reports as well as resolve them.
The following security vulnerabilities are resolved in these releases:
- ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
- ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide
- ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer
- ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
- ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
- ZF2010-01: Potential XSS vectors due to inconsistent encodings
For a full list of non-security-related, resolved issues, you can visit changelogs for each release:
This will be the last scheduled release in the 1.9 series. We released an alpha of 1.10.0 mid-December, and plan a beta release this week, with the final release later in the month; keep posted for developments along that front in the coming weeks.
I'd like to thank everyone who contributed code to this release, including those who submitted patches, translated documentation, or reported issues.
Comments (Login to leave comments)