The Zend Framework community is pleased to announce the immediate availability of Zend Framework 1.12.7:
This release contains an important security fix in
Zend_Db_Select; we strongly encourage users of this component to upgrade.
One new security advisory has been made, and has been patched in 1.12.7:
ZF2014-04, which mitigates a potential SQL Injection (SQLi) vector when usiing ORDER BY clauses in Zend_Db_Select; SQL function calls were improperly detected, rendering ORDER clauses such as MD5(1);drop table foo unfiltered. The logic has been updated to prevent SQLi vectors, and users of this functionality are strongly encouraged to upgrade immediately.
For more information, follow the link above; if you use the component affected, please upgrade as soon as possible.
In addition to the security fix above, a number of other important changes were made, including:
For the complete list of changes, read the changelog.
As always, I'd like to thank the many contributors who made this release possible, particularly Cassiano Dal Pizzol and Lars Kneschke for reporting the security vulnerability, and Enrico Zimuel for patching it.
Subscribe to this blog via RSS.