Zend Framework 2.1.4, 2.0.8, and 1.12.3 Released!
The Zend Framework community is pleased to announce the immediate availability of three new releases: 2.1.4, 2.0.8, and 1.12.3! Packages and installation instructions are available at:
The ZF2 releases include three security updates, and all ZF versions also include updates to the Twitter component to follow the Twitter v1.1 API, which is not backwards compatible with previous versions.
2.1.4 and 2.0.8 contain three security fixes.
We were alerted to the fact that the Query route could override parameters matched in parent routes, effectively bypassing constraints defined. In particular, this could result in overriding the controller or action matched by a given route.
The query route was deprecated, as a replacement exists within the HTTP router itself. You can pass a "query" option to the assemble method containing either the query string or an array of key-value pairs:
$url = $router->assemble(array(
'name' => 'foo',
'query' => array(
'page' => 3,
'sort' => 'DESC',
// or: 'query' => 'page=3&sort=DESC'
// via URL helper/plugin:
$rendererOrController->url('foo', array(), array('query' => $request->getQuery()));
Additionally, the merging of query parameters into the route match was removed entirely. Please use the query container of the request object instead.
For more information on the security vector, please see ZF2013-01.
Random Number Generation
Zend\Math\Rand component generates random bytes using the OpenSSL
or Mcrypt extensions when available but will otherwise use PHP's
mt_rand() function as a fallback. All outputs from
predictable for the same PHP process if an attacker can brute force
the seed - which can be done if the attacker has access to a random number
generated by `mt_rand` or the session ID (if generated without using additional
Zend Framework have revised the
Zend\Math\Rand component to replace the
mt_rand() fallback for OpenSSL/Mcrypt with Anthony Ferrara's
RandomLib, incorporating an additional
entropy source based on source code published by George Argyros. The new
fallback collects entropy from numerous sources other than PHP's internal seed
mechanism and extracts random bytes from the resulting mixed entropy pool.
For more information on this security vector, please see ZF2013-02.
Database Platform Quoting
Zend\Db to throw notices when insecure usage of the
following methods is called:
Zend\Db Platform objects to use driver level quoting when provided, and
E_USER_NOTICE when not provided. Added
quoteTrustedValue() API for
notice-free value quoting. Fixed all userland quoting in Platform objects to
handle a wider array of escapable characters.
For more information on this security vector, please see ZF2013-03.
Twitter API Updates
Twitter has begun sunsetting its v1.0 API, and has introduced rolling blackouts in order to prompt developers to move to the v1.1 API. Unfortunately, v1.1 is not backwards compatible with v1.0, so a number of backwards-breaking changes need to be made.
Version 2.1.0 of ZendService_Twitter and version 1.12.3 of Zend Framework have been released with support for v1.1 of the Twitter API. A number of service endpoints were removed, and others moved to new namespaces. As such, if you use the component, you are urged to upgrade, and we encourage you to read the documentation to see what methods are now available, and how to use OAuth access tokens with the service.
Polyfill Support Fixes
Polyfills (version-specific class replacements) have caused some issues in
the 2.1 series for users of
Zend\Session. In particular, users who were not using Composer
were unaware/uncertain about what extra files needed to be included to load
polyfills, and those users who were generating classmaps were running into
issues since the same class was being generated twice.
New polyfill support was created which does the following:
- New, uniquely named classes were created for each polyfill base.
- A stub class file was created for each class needing polyfill support.
A conditional is present in each that uses
class_aliasto alias the appropriate polyfill base as an import. The stub class then extends the base.
compatibility/autoload.phpfile in each component affected was altered to trigger an
E_USER_DEPRECATEDerror asking the user to remove the require statement for the file.
The functionality works with both Composer and ZF2's autoloading support, using either PSR-0 or classmaps. All typehinting is preserved.
Below are links to the changelogs for each version.
I'd like to thank our main contributors to this release. In particular, Pádraic Brady and Enrico Zimuel for researching and implementing the Random Number Generator vulnerability and fixes; Ben Scholzen for implementing fixes for the Query route; Ralph Schindler, for his fixes for the database platform quoting vulnerabilities; and Mike Willbanks, for continuing to work on solutions for session storage and timing issues.
Maintenance releases happen monthly on the third Wednesday; expect version 2.1.5 to drop 17 April 2013. We're also gearing up for version 2.2.0, which we are targetting at the end of April 2013/early May.