-
zend-framework (1.5.1-0ubuntu1.1) hardy-security; urgency=low
* SECURITY UPDATE: (LP: #345682)
Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
From Zend PHP FW Mailing List:
The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
which tags and specific attributes of those tags to keep.
The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
the attribute would always be included in the final output- even if it was not marked to retain.
A security fix has been created and released with Zend Framework 1.7.7.
Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
* debian/patches/zf_Zend_Filter_security_fix.patch:
Fixes security issue according to
http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php
* debian/control: added quilt as build dependency
* debian/rules: include quilt.mk and call patch/unpatch targets
-- Stephan Hermann <email address hidden> Thu, 14 May 2009 12:39:55 +0000
-
zend-framework (1.5.1-0ubuntu1) hardy; urgency=low
* New bugfix release
You can find the bugs fixed at
http://framework.zend.com/issues/secure/IssueNavigator.jspa?mode=hide&requestId=10711
-- Stephan Hermann <email address hidden> Thu, 27 Mar 2008 10:07:48 +0100
-
zend-framework (1.5.0-0ubuntu1) hardy; urgency=low
* New upstream release (LP: #204016)
* New Features:
+ New Zend_Form component with support for AJAX-enabled form elements
+ New action and view helpers for automating and facilitating AJAX requests
and
alternate response formats
+ LDAP, Infocard, and OpenID authentication adapters
+ Support for complex Lucene searches, including fuzzy, date-range, and
wildcard
queries
+ Support for Lucene 2.1 index file format
+ Partial, Placeholder, Action, and Header view helpers for advanced view
composition and rendering
+ New Zend_Layout component for automating and facilitating site layouts
+ UTF-8 support for PDF documents
* Enhancement and Bugfixes
* Zend_Json has been augmented to convert from XML to JSON format
* New Zend_TimeSync component supporting the Network Time Protocol (NTP)
* Improved performance of Zend_Translate with new caching option
* addRoute(), addRoutes(), addConfig(), removeRoute(), removeDefaultRoutes()
methods of Zend_Controller_Router_Rewrite now support method chaining
* Yahoo web service supports Yahoo! Site Explorer and video searches
* Database adapter for Firebird/Interbase
* Query modifiers for fetch and find methods in Zend_Db_Table
* 'init' hook to modify initialization behaviour in subclasses Zend_Db_Table,
Rowset, and Row
* Support for HTTP CONNECT requests in Zend_Http_Client
* Support for PHP's hash() for read/write control in Zend_Cache
* Zend_Cache_Backend_File may be configured to call ignore_user_abort() to
maintain cache data integrity
* Timezone in Zend_Date may be set by locale
* Zend_Cache can now use custom frontend and backend classes
* debian/control:
- Introduce binary package libzend-framework-php according to Debians PHP
Policy (http://webapps-common.alioth.debian.org/draft-php/html/index.htm)
- Make zend-framework (old binary package) a transitional one, with
depends on the new binary package
* debian/rules:
- Don't install NEWS.txt as Changelog replacement anymore, it doesn't
exists in the upstream tarball anymore
* debian/Makefile:
- Remove VERSION.txt from instal target, this file doesn't exist anymore,
too
-- Stephan Hermann <email address hidden> Tue, 18 Mar 2008 09:19:57 +0100
-
zend-framework (1.0.4-0ubuntu1) hardy; urgency=low
* New upstream version
- This version is a bugfix release
-- Stephan Hermann <email address hidden> Tue, 26 Feb 2008 21:00:10 +0100
-
zend-framework (1.0.2-0ubuntu1) hardy; urgency=low
* Initial release
* Latest Stable version 1.0.3 has bugs, which prevent apps to determine the
correct locale on the system. It's being fixed in latest SVN, but this is
too unstable
-- Stephan Hermann <email address hidden> Thu, 07 Feb 2008 11:14:22 +0100
