Merge branch 'releases/2.3.9-2.4.2'

zendframework · May 11, 2015 · d134424 · d134424
2 parents 97d7416 + 899ff27
commit d134424
Show file tree

Hide file tree

Showing 26 changed files with 1,634 additions and 613 deletions.
diff --git a/config/autoload/module.downloads.global.php b/config/autoload/module.downloads.global.php
@@ -4,8 +4,10 @@
   array (
     'versions' => 
     array (
+      '2.4.2' => '2015-05-11',
       '2.4.1' => '2015-05-07',
       '2.4.0' => '2015-03-31',
+      '2.3.9' => '2015-05-11',
       '2.3.8' => '2015-05-07',
       '2.3.7' => '2015-03-12',
       '2.3.6' => '2015-03-12',

diff --git a/config/autoload/zf-apidoc-versions.php b/config/autoload/zf-apidoc-versions.php
@@ -14,8 +14,8 @@
   ),
   2 => 
   array (
-    '2.4' => '2.4.1',
-    '2.3' => '2.3.8',
+    '2.4' => '2.4.2',
+    '2.3' => '2.3.9',
     '2.2' => '2.2.10',
     '2.1' => '2.1.6',
     '2.0' => '2.0.7',

diff --git a/data/posts/2015-05-11-ZF-2.3.9-2.4.2-Released.php b/data/posts/2015-05-11-ZF-2.3.9-2.4.2-Released.php
@@ -0,0 +1,109 @@
+<?php
+// @codingStandardsIgnoreFile
+use PhlyBlog\AuthorEntity;
+use PhlyBlog\EntryEntity;
+
+$author = new AuthorEntity();
+$author->setId('matthew');
+$author->setName("Matthew Weier O'Phinney");
+$author->setEmail('[email protected]');
+$author->setUrl('http://mwop.net/');
+
+$post = new EntryEntity();
+$post->setTitle('Zend Framework 2.3.9 and 2.4.2 Released!');
+$post->setAuthor($author);
+$post->setDraft(false);
+$post->setPublic(true);
+$post->setCreated(new DateTime('2015-05-11 13:00', new DateTimezone('America/Chicago')));
+$post->setUpdated(new DateTime('2015-05-11 13:00', new DateTimezone('America/Chicago')));
+$body =<<<'EOS'
+<p>
+    The Zend Framework community is pleased to announce the immediate availability
+    of:
+</p>
+
+<ul>
+    <li>Zend Framework <strong>2.3.9</strong></li>
+    <li>Zend Framework <strong>2.4.2</strong></li>
+</ul>
+
+<ul>
+    <li>
+        <a href="/downloads/latest">http://framework.zend.com/downloads/latest</a>
+    </li>
+</ul>
+
+<p>
+    These are the ninth and second feature releases, respectively, for these minor versions. The releases contain fixes for BC breaks introduced in 2.3.8 and 2.4.1.
+</p>
+EOS;
+$post->setBody($body);
+
+$extended =<<<'EOC'
+<h2>Backwards Compatibility Fixes</h2>
+
+<p>
+    Zend Framework versions 2.3.8 and 2.4.2 introduced fixes for
+    <a href="/security/advisory/ZF2015-04">ZF2015-04</a>, a serious vulnerability 
+    in the <code>Zend\Mail</code> and <code>Zend\Http</code> components.</li>
+</ul>
+
+<p>
+    Unfortunately, in fixing the security vulnerabilities, several use cases 
+    were broken, due to lack of tests covering the specific cases. These include:
+</p>
+
+<ul>
+    <li><a href="https://github.com/zendframework/zf2/issues/7514">Mail messages with multipart bodies were providing an incorrect header continuation.</a></li>
+    <li><a href="https://github.com/zendframework/zf2/issues/7506">Mail messages containing UTF-8 addresses were not being improperly tagged as invalid.</a></li>
+    <li><a href="https://github.com/zendframework/zf2/issues/7507">Cookies with array values were not being serialized and urlencoded, and thus were improperly tagged as invalid.</a></li>
+</ul>
+
+<p>
+    The new releases fix these issues, ensuring that applications will be both protected from ZF2015-04, as well as continue to work under common use cases. Regression tests were added to ensure the functionality continues to work in the future.
+</p>
+
+<h3>Changelog</h3>
+
+<p>
+    For the full changelog on each version:
+</p>
+
+<ul>
+    <li><a href="/changelog/2.4.2">http://framework.zend.com/changelog/2.4.2</a></li>
+    <li><a href="/changelog/2.3.9">http://framework.zend.com/changelog/2.3.9</a></li>
+</ul>
+
+<h2>Long Term Support</h2>
+
+<p>
+    As a reminder, the 2.4 series is our current Long Term Support release, and will
+    receive security and critical bug fixes until 31 March 2018.
+</p>
+
+<p>
+    You can opt-in to the LTS version by pinning your <code>zendframework/zendframework</code>
+    <a href="https://getcomposer.org">Composer</a> requirement to the version <code>~2.4.0</code>.
+</p>
+
+<p>
+    <a href="/long-term-support">Visit our Long Term Support information page</a> for more information.
+</p>
+
+<h2>Roadmap</h2>
+
+<p>
+    We are currently <a href="/blog/announcing-the-zend-framework-3-roadmap.html">shifting gears
+    towards Zend Framework 3</a> development.
+</p>
+
+<h2>Thank You!</h2>
+
+<p>
+    I would like to thank <a href="https://github.com/Maks3w">Maks3w</a>
+    for assisting with triage and patching of these issues.
+</p>
+EOC;
+$post->setExtended($extended);
+
+return $post;
diff --git a/data/zf2-changelog.php b/data/zf2-changelog.php
@@ -4500,5 +4500,20 @@ class may be used as a drop-in replacement. In fact, by default,
   
 ## SECURITY UPDATES
 - **ZF2015-04**: `Zend\\Mail` and `Zend\\Http` were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes.  If you use either `Zend\\Mail` or `Zend\\Http` (which includes users of `Zend\\Mvc`), we recommend upgrading immediately.',
+  '2.3.9' => 'Zend Framework 2.3.9 (2015-05-11)
+
+- [7506: resolves issues when UTF-8 values are used in Mail headers, particularly addresses.](https://github.com/zendframework/zf2/pull/7506)
+- [7507: ensures that array values can be used with cookies.](https://github.com/zendframework/zf2/pull/7507)
+- [7514: ensures that multipart MIME messages can be added to Zend\\\\Mail\\\\Message instances in such a way that they do not conflict with ZF2015-04.](https://github.com/zendframework/zf2/pull/7514) 
+',
+  '2.4.2' => 'Zend Framework 2.4.2 (2015-05-11)
+
+- [7503: Mail header - boundary issue (related to ZF2015-04)](https://github.com/zendframework/zf2/issues/7503)
+- [7506: &#91;mail&#92; Fix set UTF-8 values to headers. Fix #7501](https://github.com/zendframework/zf2/pull/7506)
+- [7507: &#91;http&#92; Allow serialize any character on cookies](https://github.com/zendframework/zf2/pull/7507)
+- [7510: &#91;mail/mime&#92; Fix content-type has invalid characters in field value. Fix #7503](https://github.com/zendframework/zf2/pull/7510)
+- [7512: \\Zend\\Ldap\\Attribute::valueFromLdap catching wrong exception](https://github.com/zendframework/zf2/issues/7512)
+- [7513: &#91;ldap&#92; Fix exceptions while parsing are not captured.](https://github.com/zendframework/zf2/pull/7513)
+- [7514: &#91;#7503&#92; Pass the `\\r\\n` sequence to Part::getHeadersAsArray()](https://github.com/zendframework/zf2/pull/7514)',
 );
 return $tags;
diff --git a/module/Application/view/application/index/index.phtml b/module/Application/view/application/index/index.phtml
@@ -132,10 +132,10 @@ $this->layout()->bodyId = 'home';
                 </dl>
                 <ul class="tabs-content">
                     <li class="active" id="news-contentTab">
+<h5><a href="http://framework.zend.com/blog/zend-framework-2-3-9-and-2-4-2-released.html">Zend Framework 2.3.9 and 2.4.2 Released!</a></h5>
 <h5><a href="http://framework.zend.com/blog/zend-framework-2-3-8-and-2-4-1-released.html">Zend Framework 2.3.8 and 2.4.1 Released!</a></h5>
 <h5><a href="/security/advisory/ZF2015-04">ZF2015-04: Potential CRLF injection attacks in mail and HTTP headers</a></h5>
 <h5><a href="http://framework.zend.com/blog/zend-framework-2-4-0-released.html">Zend Framework 2.4.0 Released!</a></h5>
-<h5><a href="http://framework.zend.com/blog/zend-framework-2-3-7-released.html">Zend Framework 2.3.7 Released!</a></h5>
 
                     </li>
                     <li id="get-started-contentTab">

diff --git a/public/blog/author/matthew-atom.xml b/public/blog/author/matthew-atom.xml
@@ -1,11 +1,82 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <feed xmlns="http://www.w3.org/2005/Atom">
   <title type="text">Author: Matthew Weier O'Phinney - ZF Blog</title>
-  <updated>2015-05-07T21:00:00+0000</updated>
+  <updated>2015-05-11T18:00:00+0000</updated>
   <generator uri="http://framework.zend.com" version="2">Zend_Feed_Writer</generator>
   <link rel="alternate" type="text/html" href="http://framework.zend.com/blog/author/matthew.html"/>
   <link rel="self" type="application/atom+xml" href="http://framework.zend.com/blog/author/matthew-atom.xml"/>
   <id>http://framework.zend.com/blog/author/matthew.html</id>
+  <entry xmlns:xhtml="http://www.w3.org/1999/xhtml">
+    <title type="html"><![CDATA[Zend Framework 2.3.9 and 2.4.2 Released!]]></title>
+    <published>2015-05-11T18:00:00+0000</published>
+    <updated>2015-05-11T18:00:00+0000</updated>
+    <link rel="alternate" type="text/html" href="http://framework.zend.com/blog/zend-framework-2-3-9-and-2-4-2-released.html"/>
+    <id>http://framework.zend.com/blog/zend-framework-2-3-9-and-2-4-2-released.html</id>
+    <author>
+      <name>Matthew Weier O'Phinney</name>
+      <email>[email protected]</email>
+      <uri>http://mwop.net/</uri>
+    </author>
+    <content xmlns:xhtml="http://www.w3.org/1999/xhtml" type="xhtml">
+      <xhtml:div xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:p>The Zend Framework community is pleased to announce the
+immediate availability of:</xhtml:p>
+<xhtml:ul>
+<xhtml:li>Zend Framework <xhtml:strong>2.3.9</xhtml:strong></xhtml:li>
+<xhtml:li>Zend Framework <xhtml:strong>2.4.2</xhtml:strong></xhtml:li>
+</xhtml:ul>
+<xhtml:ul>
+<xhtml:li><xhtml:a href="/downloads/latest">http://framework.zend.com/downloads/latest</xhtml:a></xhtml:li>
+</xhtml:ul>
+<xhtml:p>These are the ninth and second feature releases, respectively,
+for these minor versions. The releases contain fixes for BC breaks
+introduced in 2.3.8 and 2.4.1.</xhtml:p>
+<xhtml:h2>Backwards Compatibility Fixes</xhtml:h2>
+<xhtml:p>Zend Framework versions 2.3.8 and 2.4.2 introduced fixes for
+<xhtml:a href="/security/advisory/ZF2015-04">ZF2015-04</xhtml:a>, a serious
+vulnerability in the <xhtml:code>Zend\Mail</xhtml:code> and
+<xhtml:code>Zend\Http</xhtml:code> components.</xhtml:p>
+<xhtml:p>Unfortunately, in fixing the security vulnerabilities, several
+use cases were broken, due to lack of tests covering the specific
+cases. These include:</xhtml:p>
+<xhtml:ul>
+<xhtml:li><xhtml:a href="https://github.com/zendframework/zf2/issues/7514">Mail
+messages with multipart bodies were providing an incorrect header
+continuation.</xhtml:a></xhtml:li>
+<xhtml:li><xhtml:a href="https://github.com/zendframework/zf2/issues/7506">Mail
+messages containing UTF-8 addresses were not being improperly
+tagged as invalid.</xhtml:a></xhtml:li>
+<xhtml:li><xhtml:a href="https://github.com/zendframework/zf2/issues/7507">Cookies with
+array values were not being serialized and urlencoded, and thus
+were improperly tagged as invalid.</xhtml:a></xhtml:li>
+</xhtml:ul>
+<xhtml:p>The new releases fix these issues, ensuring that applications
+will be both protected from ZF2015-04, as well as continue to work
+under common use cases. Regression tests were added to ensure the
+functionality continues to work in the future.</xhtml:p>
+<xhtml:h3>Changelog</xhtml:h3>
+<xhtml:p>For the full changelog on each version:</xhtml:p>
+<xhtml:ul>
+<xhtml:li><xhtml:a href="/changelog/2.4.2">http://framework.zend.com/changelog/2.4.2</xhtml:a></xhtml:li>
+<xhtml:li><xhtml:a href="/changelog/2.3.9">http://framework.zend.com/changelog/2.3.9</xhtml:a></xhtml:li>
+</xhtml:ul>
+<xhtml:h2>Long Term Support</xhtml:h2>
+<xhtml:p>As a reminder, the 2.4 series is our current Long Term Support
+release, and will receive security and critical bug fixes until 31
+March 2018.</xhtml:p>
+<xhtml:p>You can opt-in to the LTS version by pinning your
+<xhtml:code>zendframework/zendframework</xhtml:code> <xhtml:a href="https://getcomposer.org">Composer</xhtml:a> requirement to the version
+<xhtml:code>~2.4.0</xhtml:code>.</xhtml:p>
+<xhtml:p><xhtml:a href="/long-term-support">Visit our Long Term Support
+information page</xhtml:a> for more information.</xhtml:p>
+<xhtml:h2>Roadmap</xhtml:h2>
+<xhtml:p>We are currently <xhtml:a href="/blog/announcing-the-zend-framework-3-roadmap.html">shifting gears
+towards Zend Framework 3</xhtml:a> development.</xhtml:p>
+<xhtml:h2>Thank You!</xhtml:h2>
+<xhtml:p>I would like to thank <xhtml:a href="https://github.com/Maks3w">Maks3w</xhtml:a> for assisting with triage
+and patching of these issues.</xhtml:p>
+</xhtml:div>
+    </content>
+  </entry>
   <entry xmlns:xhtml="http://www.w3.org/1999/xhtml">
     <title type="html"><![CDATA[Zend Framework 2.3.8 and 2.4.1 Released!]]></title>
     <published>2015-05-07T21:00:00+0000</published>
@@ -946,52 +1017,6 @@ also want to thank <xhtml:a href="https://github.com/ocramius">Marco
 Pivetta</xhtml:a> in particular, for the tireless effort he has made in
 triaging and merging pull requests for the 2.3.4 release; his
 efforts have been invaluable.</xhtml:p>
-</xhtml:div>
-    </content>
-  </entry>
-  <entry xmlns:xhtml="http://www.w3.org/1999/xhtml">
-    <title type="html"><![CDATA[Zend Framework 1.12.9, 2.2.8, and 2.3.3 Released!]]></title>
-    <published>2014-09-17T15:30:00+0000</published>
-    <updated>2014-09-17T15:30:00+0000</updated>
-    <link rel="alternate" type="text/html" href="http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html"/>
-    <id>http://framework.zend.com/blog/zend-framework-1-12-9-2-2-8-and-2-3-3-released.html</id>
-    <author>
-      <name>Matthew Weier O'Phinney</name>
-      <email>[email protected]</email>
-      <uri>http://mwop.net/</uri>
-    </author>
-    <content xmlns:xhtml="http://www.w3.org/1999/xhtml" type="xhtml">
-      <xhtml:div xmlns:xhtml="http://www.w3.org/1999/xhtml"><xhtml:p>The Zend Framework community is pleased to announce the
-immediate availability of:</xhtml:p>
-<xhtml:ul>
-<xhtml:li>Zend Framework <xhtml:strong>1.12.9</xhtml:strong></xhtml:li>
-<xhtml:li>Zend Framework <xhtml:strong>2.2.8</xhtml:strong></xhtml:li>
-<xhtml:li>Zend Framework <xhtml:strong>2.3.3</xhtml:strong></xhtml:li>
-</xhtml:ul>
-<xhtml:ul>
-<xhtml:li><xhtml:a href="/downloads/latest">http://framework.zend.com/downloads/latest</xhtml:a></xhtml:li>
-</xhtml:ul>
-<xhtml:p>These are security releases; we strongly encourage users to
-upgrade.</xhtml:p>
-<xhtml:h2>Security Fixes</xhtml:h2>
-<xhtml:p>Two new security advisories have been made:</xhtml:p>
-<xhtml:ul>
-<xhtml:li><xhtml:a href="/security/advisory/ZF2014-05">ZF2014-05</xhtml:a>, which
-mititages null byte poisoning of the password provided for LDAP
-authentication, thus prevening unauthorized LDAP binding. This
-corrects for unpatched versions of PHP (versions 5.5.11 and below,
-5.4.27 and below, and any prior releases).</xhtml:li>
-<xhtml:li><xhtml:a href="/security/advisory/ZF2014-06">ZF2014-06</xhtml:a>, which
-mitigates null byte poisoning of quoted SQL values provided to the
-sqlsrv extension, thus preventing a potential SQL injection
-vector.</xhtml:li>
-</xhtml:ul>
-<xhtml:p>For more information, follow the links above; if you use either
-of the components affected, please upgrade as soon as possible.</xhtml:p>
-<xhtml:h2>Thank You!</xhtml:h2>
-<xhtml:p>Thank you to the two reporters of the security issues, Matthew
-Daley (LDAP vulnerability) and Jonas Sandström (sqlsrv
-vulnerability).</xhtml:p>
 </xhtml:div>
     </content>
   </entry>