Zend Framework 1.12.14, 2.4.6, and 2.5.2 Released!

The Zend Framework community is pleased to announce the immediate availability

  • Zend Framework 1.12.14
  • Zend Framework 2.4.6
  • Zend Framework 2.5.2

You can download the releases from the Zend Framework site:

These releases contain a critical security fix.

Security Fix

Zend Framework versions 1.12.14, and 2.4.6, and 2.5.2 introduced fixes for
ZF2015-06, a serious vulnerability
in ZendXml when used under PHP-FPM to process multibyte XML
documents. The advisory provides full details; if you process XML in your
application and will be deploying or already deploy using PHP-FPM, we recommend
upgrading immediately.

Other changes

Zend Framework 1.12.14 has two other changes that may impact users:

  • Zend_Service_DeveloperGarden was removed, as the service closed its API on 30
    June 2015.
  • Zend_Service_Technorati was removed, as the API has been unavailable for an
    indeterminate amount of time.

Both Zend Framework 2.4.6 and 2.5.2 also incorporate a change in Zend\InputFilter;
fixes done in the 2.4/2.5 series removed support for fallback values when performing validation;
that support has been reinstated with the latest releases.


For the full changelog on each version:

Long Term Support

As a reminder, the 2.4 series is our current Long Term Support release, and will
receive security and critical bug fixes until 31 March 2018.

You can opt-in to the LTS version by pinning your zendframework/zendframework
Composer requirement to the version ~2.4.0.

Visit our Long Term Support information page for more information.