Download Zend Framework 1.7.5

A few days ago, Zend released a new version of Zend Framework with 1.7.5 as the version number. This framework focuses on facilitating the design, writing and maintenance of php applications. To make this possible, various APIs from Google, Microsoft, Amazon, Yahoo and Flickr have been integrated into Zend Framework, among others. Furthermore, the program includes search functionality, support for ajax and RSS and atom syndication. The corresponding announcement looks like this:

Zend Framework 1.7.5 Released

Zend Framework 1.7.5 has been released, and as always you can download the latest copy of Zend Framework for free from here.

Besides the normal small enhancements and bug fixes that come with an incremental release such as this, there is also a rather important (and somewhat controversial) security fix that was added. This security fix breaks backwards compatibility with the previous version, because it simply must in order to exist. There is however a way to turn the security fix off to keep your current applications working in the case that this change breaks you.

on his blog, Matthew Weier O’Phinney, Software Architect for Zend Framework, writes about this vulnerability in detail:

A user filed an issue report showing a potential Local File Inclusion vulnerability in Zend_View’s setScriptPath() method: if user input were used to specify the script path, then it was possible to trigger the LFI. The vulnerability was completely contested; no sane developer should ever configure the view script paths using user input. However, it pointed out another very real LFI attack vector.

I suggest if you are interested in learning more about this, that you read his full post. there is also a new manual page that discussions the new LFI protection.