Security updates released for Zend Framework

The Zend developers have announced the release of version 1.9.7, 1.8.5 and 1.7.9 of their open source Zend Framework. In addition to more than 40 bug fixes, the latest releases address a total of six security related vulnerabilities. The updates fix a total of five cross-site scripting (XSS) related issues and the sixth update corrects a potential MIME type injection problem. According to Matthew Weier O'Phinney, Software Architect for the Zend Framework, the latest updates are the first to comply with Zend's new security policy. The developers advise all users to update to the latest releases as soon as possible.

O'Phinney also notes that version 1.9.7 is the last scheduled release in the 1.9 series. An alpha release for version 1.10 of the Zend Framework was released in December and a beta release is expected to arrive this week. The final version of 1.10 is scheduled to arrive later this month.

More details about the releases can be found in the Zend Framework 1.9.7, 1.8.5 and 1.7.9 change logs. Version 1.9.7, 1.8.5 and 1.7.9 of the Zend Framework are available to download. The Zend Framework is released under the New BSD License.

See also:

• ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json, security advisory from Zend.
• ZF2010-05: Potential XSS vector in Zend_Service_ReCaptcha_MailHide, security advisory from Zend.
• ZF2010-04: Potential MIME-type Injection in Zend_File_Transfer, security advisory from Zend.
• ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed, security advisory from Zend.
• ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor, security advisory from Zend.
• ZF2010-01: Potential XSS vectors due to inconsistent encodings, security advisory from Zend.

(crve)