ZF Blog

Zend Framework 1.12.7 Released!

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 1.12.7:

This release contains an important security fix in Zend_Db_Select; we strongly encourage users of this component to upgrade.

Security Fixes

One new security advisory has been made, and has been patched in 1.12.7:

ZF2014-04, which mitigates a potential SQL Injection (SQLi) vector when usiing ORDER BY clauses in Zend_Db_Select; SQL function calls were improperly detected, rendering ORDER clauses such as MD5(1);drop table foo unfiltered. The logic has been updated to prevent SQLi vectors, and users of this functionality are strongly encouraged to upgrade immediately.

For more information, follow the link above; if you use the component affected, please upgrade as soon as possible.

Important Changes

In addition to the security fix above, a number of other important changes were made, including:

  • Support for PHPUnit 4 and 4.1, both within the Zend Framework test suite and inside the Zend_Test_PHPUnit component.
  • Backported support from ZF2 for recursive page removal within Zend_Navigation.
  • Support within the Hostname validator for the newly released IANA top level domains.
  • Forward-compatibility changes were made to ensure Zend Framework 1 will run on the upcoming PHP 5.6.

For the complete list of changes, read the changelog.

Thank You!

As always, I'd like to thank the many contributors who made this release possible, particularly Cassiano Dal Pizzol and Lars Kneschke for reporting the security vulnerability, and Enrico Zimuel for patching it.

Return to entries

blog comments powered by Disqus