Zend Framework 1.12.10, 2.2.9, and 2.3.4 released!

The Zend Framework community is pleased to announce the immediate availability of:

  • Zend Framework 1.12.0
  • Zend Framework 2.2.9
  • Zend Framework 2.3.4

All releases are available at:

Versions 2.2.9 and 2.3.4 also include security fixes, and we strongly encourage users of the 2.2 and 2.3 series to upgrade.


Zend Framework 1.12 is in maintenance mode, but that has not slowed activity on the repository; this release features almost 40 bugfixes!  Among other changes, contributors have also provided improvements for our build process, including the removal of tests and documentation when adding ZF1 to your project via Composer.

For the full list of changes, visit the 1.12.10 changelog.

We want to thank the efforts of Rob Allen and Frank Brückner in particular for shepherding contributions and acting as release managers.

2.2.9 and 2.3.4

As noted, these versions contain security fixes. The security vulnerability in question is ZF2015-01; essentially, prior to the patches, Zend\Session’s validators were not properly persisting their metadata, which meant that any subsequent access of the session regenerated the metadata and considered the session valid regardless of conditions.

If you are using Zend\Session’s validators, we recommend you upgrade immediately.

In addition to the security fixes, 2.3.4 was also a scheduled maintenance release, and contains over 200 patches, ranging from coding standards fixes to the security fixes already listed. For the full list of changes, visit the 2.3.4 changelog.

We would like to thank Marco Pivetta for his tireless efforts made in triaging and merging pull requests for the 2.3.4 release; his efforts have been invaluable.