Zend Framework 1.12.4, 2.1.6, and 2.2.6 Released!

2014-03-07 | By: Matthew Weier O'Phinney

The Zend Framework community is pleased to announce the immediate availability of:

While these are scheduled maintenance releases, they also contain important security fixes; we strongly encourage users to upgrade.

Security Fixes

Two new security advisories have been made:

  • ZF2014-01, which mitigates XML eXternal Entity and XML Entity Expansion vectors in a variety of components. While we had taken measures two years ago to mitigate these issues, a researcher discovered several components that remained vulnerable.
  • ZF2014-02, which mitigates an issue in our OpenID consumers whereby a malicious Identity Provider could be used to spoof the identity of other providers.

For more information, follow the links above; if you use any of the components affected, please upgrade as soon as possible.


This is the first maintenance release in almost a year on the 1.12 series, and contains fixes too numerous to list. Among some of the more important ones, however:

  • The testing infrastructure has been upgraded to PHPUnit 3.7, making it far simpler for contributors to test changes.
  • #221 removes the TinySrc view helper, as the TinySrc service no longer exists.
  • #222 removes the InfoCard component, as the CardSpace service no longer exists.
  • #271 removes the Nirvanix component, as the Nirvanix service shut down in October 2013.

Many thanks to all the contributors who helped polish ZF1, including both Frank Br├╝ckner and Adam Lundrigan, who provided a ton of patches and feedback, and to Rob Allen, our release manager, for shepherding in contributions!


2.1.6 is a security release only, and issued to provide fixes for ZF2014-01.


2.2.6 is both a security and maintenance release. It addresses specifically ZF2014-01. Additionally, more than 100 patches were contributed to this release.

For the complete list of changes, read the changelog.


We have released a new component, ZendXml, to help PHP developers mitigate XXE and XEE vectors in their own code. We highly recommend using it if you ware working with XML. It is available via Composer, as well as via our packages site.

Component Releases

The following components were updated, to the versions specified, to mitigate security issues.

  • ZendOpenId, v2.0.2
  • ZendRest, v2.0.2
  • ZendService_Amazon, v2.0.3
  • ZendService_Api, v1.0.0
  • ZendService_Audioscrobbler, v2.0.2
  • ZendService_Nirvanix, v2.0.2
  • ZendService_SlideShare, v2.0.2
  • ZendService_Technorati, v2.0.2
  • ZendService_WindowsAzure, v2.0.2

Thank You!

As always, I'd like to thank the many contributors who made these releases possible! The project is gaining in consistency and capabilities daily as a result of your efforts.


We plan to ship version 2.3.0 sometime next week (week of 10 March 2014). We will likely adopt a semi-monthly maintenance release schedule thereafter.



© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.