lp:ubuntu/jaunty-security/zend-framework

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

17. By Stephan Rügamer on 2010-01-12

* The security update fixes the following security issues: (LP: #506304)
  + ZF2010-03: Potential XSS vector in Zend_Filter_StripTags when comments allowed
    Zend_Filter_StripTags contained an optional setting to allow whitelisting
    HTML comments in filtered text. Microsoft Internet Explorer and several other
    browsers allow developers to create conditional functionality via HTML comments,
    including execution of script events and rendering of additional commented markup.
    By allowing whitelisting of HTML comments, a malicious user could potentially
    include XSS exploits within HTML comments that would then be rendered in the final output.
    http://framework.zend.com/security/advisory/ZF2010-03
  + ZF2010-06: Potential XSS or HTML Injection vector in Zend_Json
    Zend_Json_Encoder was not taking into account the solidus character ("/") during encoding,
    leading to incompatibilities with the JSON specification, and opening the potential for XSS
    or HTML injection attacks when returning HTML within a JSON string.
  + ZF2010-02: Potential XSS vector in Zend_Dojo_View_Helper_Editor
    Zend_Dojo_View_Helper_Editor was incorrectly decorating a TEXTAREA instead of a DIV.
    The Dojo team has reported that this has security implications as the rich
    text editor they use is unable to escape content for a TEXTAREA.
* debian/patches/99_ZF2010-03_Zend_Filter_Striptags.patch:
  + Patch was found at: http://framework.zend.com/issues/browse/ZF-8743
* debian/patches/99_ZF2010-06_Zend_Json.patch
  + Patch was found: http://framework.zend.com/issues/browse/ZF-8663
* debian/patches/99_ZF2010-02_Zend_Dojo.patch:
  + Patch was found: http://framework.zend.com/issues/browse/ZF-6753

16. By Stephan Rügamer on 2009-05-14

* SECURITY UPDATE: (LP: #345682)
  Announcement: http://www.nabble.com/SECURITY-ADVISORY-tp22609193p22609193.html
  From Zend PHP FW Mailing List:
  The Zend Framework team was recently notified of an XSS attack vector in its Zend_Filter_StripTags class.
  Zend_Filter_StripTags offers the ability to strip HTML tags from text, but also to selectively choose
  which tags and specific attributes of those tags to keep.
  The XSS attack vector was due to a bug in matching HTML tag attributes to retain.
  If whitespace was introduced surrounding the attribute assignment operator or the value included newline characters,
  the attribute would always be included in the final output- even if it was not marked to retain.
  A security fix has been created and released with Zend Framework 1.7.7.
  Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release branches.
* debian/patches/zf_Zend_Filter_security_fix.patch:
  Fixes security issue according to
  http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php

15. By Stephan Rügamer on 2009-03-04

debian/patches/zf_176_fixes.patch:
Added library/ and tests/ fixes from ZendFramework 1.7.6 to 1.7.5 package version
A complete list of fixes you can find here:
http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10953

14. By Stephan Rügamer on 2009-02-18

* New Upstream version
  - Bugfix / Security Release
  - A list of fixes you can find here:
    http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10951

13. By Stephan Rügamer on 2009-02-05

* New Upstream version
  - Bugfix Release
  - A list of fixes you can find here:
    http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10944
* cleaned debian/patches

12. By Stephan Rügamer on 2009-01-29

added debian/patches/zend-framework-pl1.patch (via quilt)

11. By Stephan Rügamer on 2009-01-21

* New Upstream Version
  - Bug Fix Release
  - A list of fixes you can find here:
    http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10934

10. By Stephan Rügamer on 2009-01-07

* New Upstream Version
  - Bug Fix Release
  - A list of fixes you can find here:
    http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10923

9. By Stephan Rügamer on 2008-12-02

* New Upstream version
* New features and components:
  + Zend_Amf with support for AMF0 and AMF3 protocols
  + Dojo Toolkit 1.2.1 (Not installed in Ubuntu Package)
  + Support for dijit editor available in the Dojo Toolkit
  + Zend_Service_Twitter
  + ZendX_JQuery in extras library
  + Metadata API in Zend_Cache
  + Google book search API in Zend_Gdata
  + Preliminary support for GData Protocol v2 in Zend_Gdata
  + Support for skip data processing in Zend_Search_Lucene
  + Support for Open Office XML documents in Zend_Search_Lucene indexer
  + Performance enhancements in Zend_Loader, Zend_Controller, and server components
  + Zend_Mail_Storage_Writable_Maildir enhancements for mail delivery
  + Zend_Tool in incubator
  + Zend_Text_Table for formatting table using characters
  + Zend_ProgressBar
  + Zend_Config_Writer
  + ZendX_Console_Unix_Process in the extras library
  + Zend_Db_Table_Select support for Zend_Paginator
  + Global parameters for routes
  + Using Chain-Routes for Hostname-Routes via Zend_Config
  + I18N improvements
    - Application wide locale for all classes
    - Data retrieving methods are now static
    - Additional cache handling methods in all I18N classes
    - Zend_Translate API simplified
  + File transfer enhancements
    - Support for file elements in subforms
    - Support for multifile elements
    - Support for MAX_FILES_SIZE in form
    - Support for breaking validation chain
    - Support for translation of failure ,messages
    - New IsCompressed, IsImage, ExcludeMimeType, ExcludeExtension validators
    - Support for FileInfo extension in MimeType validator
  + Zend_Db_Table_Select adapater for Zend_Paginator
  + Support for custom adapters in Zend_Paginator
  + More flexible handling of complex types in Zend_Soap
  + All bugs which are fixed you can find here:
    - http://framework.zend.com/issues/secure/IssueNavigator.jspa?requestId=10903
* Do not install the dojo toolkit which is being shipped inside the original tarball of Zend
* Do not install the incubator which is being shipped inside the original tarball of Zend
* debian/control: remove quilt from build-depends, not needed anymore
* debian/rules:
  - remove all quilt relevant patch rules and includes
  - copy debian/zend-framework.ini to the right location (/etc/php5/conf.d/)
* added debian/zend-framework.ini (LP: #220719)
* debian/README.Debian:
  - Updated to the new world order for enabling zend-framework

8. By Stephan Rügamer on 2008-08-18

* debian/patches/ubuntu_01_fix_mail.diff:
  + Fixes upstream bugs:
    - ZF-3912
    - ZF-3641
    - ZF-3865
* debian/control:
  + added quilt to b-d
* debian/rules:
  + added quilt targets to patch source