ZF2013-04: Potential Remote Address Spoofing Vector in Zend\Http\PhpEnvironment\RemoteAddress

The Zend\Http\PhpEnvironment\RemoteAddress class provides features around detecting the internet protocol (IP) address for an incoming proxied request via the X-Forwarded-For header, taking into account a provided list of trusted proxy server IPs. Prior to 2.2.5, the class was not taking into account whether or not the IP address contained in PHP's $_SERVER['REMOTE_ADDR'] was in the trusted proxy server list.

The IETF draft specification indicates that if $_SERVER['REMOTE_ADDR'] is not a trusted proxy, it must be considered the originating IP address, and the value of X-Forwarded-For must be disregarded.

Action Taken

We have made the following change to the Zend\Http\PhpEnvironment\RemoteAddress class:

  • If we detect that (a) we will test against proxy servers, and (b) $_SERVER['REMOTE_ADDR'] is not in the list of trusted proxy servers, we now return the value of $_SERVER['REMOTE_ADDR'] immediately, without introspecting the X-Forwarded-For header.

Recommendations

You are only affected by this as an issue if you directly consume one of the following in your code:

  • Zend\Http\PhpEnvironment\RemoteAddress
  • Zend\Session\Validator\RemoteAddr

If you do, we recommend immediately upgrading to version 2.2.5.

Other Information

Acknowledgments

The Zend Framework team thanks the following for identifying the issues and working with us to help protect its users:

Reporting Potential Security Issues

If you have encountered a potential security vulnerability in Zend Framework, please report it to us at zf-security@zend.com. We will work with you to verify the vulnerability and patch it.

When reporting issues, please provide the following information:

  • Component(s) affected
  • A description indicating how to reproduce the issue
  • A summary of the security vulnerability and impact

We request that you contact us via the email address above and give the project contributors a chance to resolve the vulnerability and issue a new release prior to any public exposure; this helps protect Zend Framework users and provides them with a chance to upgrade and/or update in order to protect their applications.

For sensitive email communications, please use our PGP key.

Policy

Zend Framework takes security seriously. If we verify a reported security vulnerability, our policy is:

  • We will patch the current release branch, as well as the immediate prior minor release branch.
  • After patching the release branches, we will immediately issue new security fix releases for each patched release branch.
  • A security advisory will be released on the Zend Framework site detailing the vulnerability, as well as recommendations for end-users to protect themselves. Security advisories will be listed at http://framework.zend.com/security/advisories, as well as via a feed (which is also present in the website head for easy feed discovery)

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.4! Packages and installation instructions are available at:

This release fixes a regression found in the Form component released with version 2.2.3; if you use that component, we urge you to upgrade to 2.2.4.

Regressions

Version 2.2.3 introduced a regression in the Form component, as a side-effect of fixing another issue. The preferFormInputFilter flag was originally created to allow developers to choose whether they wanted to prefer the input filter they explicitly composed in the form to have priority, or use the input filter settings the form aggregated from default elements instead. Interestingly, the form component essentially enforced the latter situation (prefering what the form aggregated), making the flag have no semantic meaning.

A side effect of this, however, led to a regression in the InputFilter component. Starting sometime in the 2.2 series, the behavior of input merging was changed to merge the old input into the new. In 2.2.3, we corrected this behavior -- but it broke the default merging order in the Form component. On inspection, we discovered that the fix to the InputFilter essentially gave semantic meaning back to the preferFormInputFilter flag -- but that the default behavior -- which was to prefer what the form aggregates -- was now flip-flopped.

The fix in 2.2.4 is to enable the preferFormInputFilter flag by default, thus restoring the previous expected behavior. Additionally, we now provide the ability to set this flag via form options or the form factory.

If you use the Form component, we urge you to upgrade to 2.2.4 immediately.

Changelog

To see the full changelog, visit:

Thank You!

Many thanks to Michaël Gallego and Michael Gooden for helping me troubleshoot the form issues!

Roadmap

Maintenance releases happen monthly on the third Wednesday.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.3! Packages and installation instructions are available at:

This is the third monthly maintenance release in the 2.2 series.

Changelog

This release features over 25 changes. Some notable changes include:

  • An update that ensures the filter and validator plugin managers are injected into the input filter factory when using the form factory. (#4851)
  • Fixes to code generation to ensure use statements are unique, and that non-namespaced class generation is possible. (#4988 and #4990)
  • A fix to input filters and forms to ensure overwriting of inputs and input filters happens correctly. (#4996)

To see the full changelog, visit:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.2! Packages and installation instructions are available at:

This is the second monthly maintenance release in the 2.2 series.

Changelog

This release features over 60 changes. Some notable changes include:

  • The cURL adapter for Zend\Http will no longer double-decode gzip-encoded bodies. (#4555)
  • A headLink() method was added to the HeadLink view helper so that its usage matches the documentation. (#4105)
  • The validator plugin manager was updated to include the new "PhoneNumber" validator. (#4644)
  • Abstract methods in the AbstractRestfulController were made non-abstract, and modified to set a 405 ("Method Not Allowed") status. (#4808)

To see the full changelog, visit:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.3.0 is tentatively scheduled for September.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.1! Packages and installation instructions are available at:

This is the first monthly maintenance release in the 2.2 series.

Changelog

This release features almost 70 changes, ranging from minor typographical issues to changes to allow easier utilisation of new features introduced in 2.2 (e.g., you can now actually select the new TranslatorAwareTreeRouteStack as a router via configuration). The full changelog for 2.2.1 is available:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.3.0 is tentatively scheduled for the end of August.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0! Packages and installation instructions are available at:

This is the first stable release in the 2.2 series.

Usability and Consistency

The primary focus of the 2.2 release has been usability and consistency, primarily with regard to creation and configuration of services such as hydrators, input filters, logs, DB connections, cache objects, translators, and forms.

Most of these services now have what are known as "Abstract Factories" that are either registered by default, or can be added quickly to your application configuration. Abstract factories are used by the service manager when you have multiple services that follow the same instantiation pattern, but which have different names. The typical pattern the new abstract factories follow is to use key/configuration pairs under a common top-level configuration key to describe the instances desired:


<?php
'log' => array(
    'Application\Log' => array(
        'writers' => array(
            array(
                'name'     => 'stream',
                'priority' => 1000,
                'options'  => array(
                    'stream' => 'data/logs/app.log',
                ),
            ),
        ),
    ),
),

The above creates a logger named "Application\Log" which you can retrieve directly from the service manager. If you wanted to have additional loggers, you could do so by adding additional entries under the "log" heading, each named, and each providing configuration for a logger.

Besides the logger abstract factory illustrated above, the following components each have abstract factories now, too, using the configuration keys noted:

  • Zend\Cache: "caches" configuration section, allowing multiple named cache storage objects.
  • Zend\Db: "adapters" subkey of the "db" configuration section; this abstract factory allows you to finally have multiple named DB adapter instances, effectively allowing for read-only and write-only connections.
  • Zend\Form: "forms" configuration section (which makes use of several old and new plugin managers, as noted below).

A number of new plugin managers were also added. Plugin managers are specialized service manager instances used by objects that will be consuming many different related object instances, often based on runtime conditions. As examples, view helpers and controller plugins are mediated by plugin managers.

The new plugin manager instances include:

  • Zend\Stdlib\Hydrator\HydratorPluginManager, for retrieving hydrator instances. This allows re-use of individual hydrators, and coupled with the forms abstract factory, allows usage of custom hydrators across your form instances.
  • Zend\InputFilter\InputFilterPluginManager, for retrieving (configurable) input filter instances. This allows re-use of input filters, as well as ensures that all input instances are provided with custom validators and/or filters (from the existing validator and filter plugin managers). The forms abstract factory makes use of this, which allows us to finally tie together the various plugin managers to create fully configurable and custom forms.

Finally, a couple new service factories were created. Service factories usually have a 1:1 relationship between the named service and the instance provided, and are ideal for situations where you only need one instance of a given service type. In the case of the new factories for 2.2, these include translators and sessions.

Data Definition Language Abstraction

Zend Framework 2.2 also offers initial support in Zend\Db for dynamic DDL queries. DDL, for Data Definition Language, is a subset of SQL that comprises different commands for building RDBMS data structures like tables, columns, constraints, indexes, views, triggers and the like.

Initial support is limited to creating tables with SQL92 data-types, and some specialization for MySQL support. Here is an example of CREATE TABLE statement:


<?php
    use Zend\Db\Sql\Sql;
    use Zend\Db\Sql\Ddl;

    $t = new Ddl\CreateTable();
    $t->setTable('bar');
    $t->addColumn(new Ddl\Column\Integer(
        'id', 
        12, 
        true, 
        null,
        ['auto_increment' => true, 'comment' => 'Some comment']
    ));
    $t->addColumn(new Ddl\Column\Varchar('name', 255));
    $t->addColumn(new Ddl\Column\Char('foo', 20));
    $t->addConstraint(new Ddl\Constraint\PrimaryKey('id'));
    $t->addConstraint(new Ddl\Constraint\UniqueKey(
        ['name', 'foo'],
        'my_unique_key'
    ));

    $sql = new Sql($adapter);
    echo $sql->getSqlStringForSqlObject($t);

Once this table is created, it can then be altered:


<?php
    $t = new Ddl\AlterTable('bar');
    $t->changeColumn('name', new Ddl\Column\Varchar('new_name', 50));
    $t->addColumn(new Ddl\Column\Varchar('another', 255));
    $t->addColumn(new Ddl\Column\Varchar('other_id', 255));
    $t->dropColumn('foo');
    $t->addConstraint(new Ddl\Constraint\ForeignKey(
        'my_fk', 'other_id', 'other_table', 'id', 'CASCADE', 'CASCADE'
    ));
    $t->dropConstraint('my_index');
    echo $sql->getSqlStringForSqlObject($t);

Or even dropped:


<?php
    $dt = new Ddl\DropTable('bar');
    echo $sql->getSqlStringForSqlObject($dt);

What can this be used for?

That is where you come in. This particular feature was asked for numerous times during ZF1 development. We'd like to see what kind of ZF2 modules can be created with this base infrastructure. Migration assistant? ORM database creation tool? Advanced CMS? Let us know; we'll be adding more vendor specific support over the 2.2 to 2.3 timeline.

New Service Wrappers

Zend Framework has a long history of providing API wrappers; in fact, they were a prominent part of the initial pre-release! The tradition continues in ZF2, though each API wrapper now has its own repository.

Alongside the 2.2.0 release, we're also providing initial beta releases of two new service components: ZendService_Api and ZendService_OpenStack.

ZendService_Api

This is an HTTP microframework for consuming generic API calls in PHP. This framework can be used to create PHP libraries that consume specific HTTP APIs using either a simple configuration array or files. This project uses the Zend\Http\Client component of Zend Framework 2. Enrico has blogged about the component previously.

ZendService_OpenStack

We began the development of a new library to support the last API version of OpenStack. The goal of this component is to simplify the usage of OpenStack in PHP, providing a simple object oriented interface to its API services. This component is based on ZendService_Api, giving us a flexible way to update the HTTP specification with the future API versions.

ZFTool Diagnostic Features

Artur Bodera (aka Thinkscape) provided a new diagnostics feature for ZFTool. Using this feature, we can allow the execution of customized diagnostics tests in ZF2 projects, including testing for the required PHP version, testing for specific PHP extensions, testing for specific ZF2 modules, testing for specific PHP INI settings, and more; read the documentation to get an idea of the variety of tests available.

Moreover, with the collaboration of the LiipMonitor project, we decided to create common interfaces for performing diagnostic tests in PHP applications. An initial draft is available in the ZendDiagnostic repository.

The diagnostics feature is available in the latest version of ZFTool.

Hydrator Improvements

As noted earlier, Zend\Stdlib\Hydrator now has a plugin manager you can compose into your objects for managing hydrator instances. However, beyond that, we also now have an "Aggregate Hydrator", which allows you to provide specialized mapping of your object types to hydrators via an event-based system.

Why is this exciting? Many of our users utilize Doctrine as an Object Relational Mapping (ORM) system. Oftentimes, the entities that you work with will also form a hierarchical structure. The Aggregate Hydrator allows allows you to attach a single hydrator to the parent object, and ensure that all child and descendant objects are either hydrated or extracted according to their type.

Reducing Dependencies

We have started work on a new story for the framework: reducing dependencies for individual components. We have received feedback from a number of developers and organizations indicating that even though each component can be installed individually, the number of dependencies most components mark as required leads to a situation where they feel they must choose whether or not they adopt the framework, versus adopting just the component. While of course we'd like them to adopt the framework, we'd rather they get a taste for it, if you will.

While this story is primarily slated for 2.3, we have made our first steps in 2.2, with the Zend\Feed and Zend\Validator components.

Zend\Validator removed its dependency on the i18n component. We achieved this by creating Separated Interfaces for the translator. Considering translation was only enabled if you explicitly injected a translator, this was a natural course of action. (It also introduced a minor backwards compatibility break; see below for more information.)

For Zend\Feed, many "required" dependencies were actually optional already, and we could mark them as such. There were two that were not, however, and which required similar treatment as Zend\Validator in creating separated interfaces: the service manager (used for extension management) and HTTP (for fetching remote feeds with the reader). Interfaces were developed for each of these, and Zend\Feed now has only two required dependencies. A nice side benefit is that you can now use third-party HTTP clients with Zend\Feed\Reader!

Migration Notes

While we have worked hard to keep code backwards compatible (BC), there are a few noteworth changes that may affect your code.

  • Zend\Validator no longer directly consumes a Zend\I18n\Translator\Translator instance; instead, you must either implement Zend\Validator\Translator\TranslatorInterface or use Zend\Mvc\I18n\Translator. In most cases, this change should be transparent, as validator instances managed by the ValidatorPluginManager will already be using the correct instance.
  • In 2.1.5, a BC break was accidently introduced into Zend\Navigation in order to enable a feature: MVC pages were altered to always use route match values when available when generating URIs. 2.2.0 was modified to add a flag to enable this behavior on demand, but defaults to the original behavior, which does not pass the route match values to the pages. If you relied on this behavior in 2.1.5, add the following option to your individual MVC page definitions:

    
    <?php
    'use_route_match' => true,

Other Notable Improvements

  • Authentication: The DB adapter now supports non-RDBMS credential validation.
  • Cache: New storage backend: Redis.
  • Code: The ClassGenerator now has a removeMethod() method.
  • Console: Incremental improvements to layout and colorization of banners and usage messages; fixes for how literal and non-literal matches are returned.
  • Filter: New DateTimeFormatter filter.
  • Form: Many incremental improvements to selected elements; new FormAbstractServiceFactory for defining form services; minor improvements to make the form component work with the DI service factory.
  • InputFilter: new CollectionInputFilter for working with form Collections; new InputFilterPluginManager providing integration and services for the ServiceManager.
  • I18n: We removed ext/intl as a hard requirement, and made it only a suggested requirement; the Translator has an optional dependency on the EventManager, providing the ability to tie into "missing message" and "missing translations" events; new country-specific PhoneNumber validator.
  • ModuleManager: Now allows passing actual Module instances (not just names).
  • Navigation: Incremental improvements, particularly to URL generation.
  • MVC: You can now configure the initial set of MVC event listeners in the configuration file; the MVC stack now detects generic HTTP responses when detecting event short circuiting; the default ExceptionStrategy now allows returning JSON; opt-in translatable segment routing; many incremental improvements to the AbstractRestfulController to make it more configurable and extensible; the Forward plugin was refactored to no longer require a ServiceLocatorAware controller, and instead receive the ControllerManager via its factory.
  • Paginator: Support for TableGateway objects.
  • ServiceManager: Incremental improvements; performance optimizations; delegate factories, which provide a way to write factories for objects that replace a service with a decorator; "lazy" factories, allowing the ability to delay factory creation invocation until the moment of first use.
  • Stdlib: Addition of a HydratorAwareInterface; creation of a HydratorPluginManager.
  • SOAP: Major refactor of WSDL generation to make it more maintainable.
  • Validator: New Brazilian IBAN format for IBAN validator; validators now only return unique error messages; improved Maestro detection in CreditCard validator.
  • Version: use the ZF website API for finding the latest version, instead of GitHub.
  • View: Many incremental improvements, primarily to helpers; deprecation of the Placeholder Registry and removal of it from the implemented placeholder system; new explicit factory classes for helpers that have collaborators (making them easier to override/replace).

Changelog

Greater than 150 patches were applied for 2.2.0.

Other Announcements

Over a month ago, we migrated Zend Framework 1 to GitHub. At that time, we also migrated active issues created since 1.12.0 to the GitHub issue tracker, and marked our self-hosted issue tracker read-only. We have decided to turn off that issue tracker, but still retain the original issues at their original locations for purposes of history and transparency. You can find information on the change on our issues landing page.

Thank You!

Please join me in thanking everyone who provided new features and code improvements for the 2.2.0 release! We had a huge leap forward in usability of many components, and a number of key new features that make developing applications simpler. We'll be continuing on these themes for the next release as well.

Roadmap

Maintenance releases are scheduled for the third Wednesday of each month; expect 2.2.1 on 19 June 2013. Minor releases are scheduled roughly every quarter; look for 2.3 sometime around mid-August or early September. Proposals and ideas for stories will be presented on the zf-contributors mailing list; subscribe by sending an email to zf-contributors-subscribe [at] lists.zend.com if you are interested in assisting with its development.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc3! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

Please see our post for 2.2.0rc1 and our post for 2.2.0rc2 for a list of changes. In addition to those changes, the following have been made:

  • A late addition of Zend\Stdlib\Hydrator\Aggregate was made. This functionality allows the ability to map hydrators to objects via events, and generally streamlines the process of having a single hydrator for a hierarchy of objects. Read more in the AggregateHydrator documentation.

  • Improvements were made to Zend\Di to make it work better with the various "Aware" interfaces that have proliferated throughout the framework, eliminating issues where the component would attempt to instantiate an interface.

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

This is the third release candidate. At this time, we anticipate a stable release sometime mid-week next week.

Over the next few days, we will be expanding on documentation, and fixing any critical issues brought to our attention; we do not anticipate many, if any, critical issues at this time, however.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc2! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

Please see our post for 2.2.0rc1 for a list of changes. In addition to those changes, the following have been made:

  • A late change was made to eliminate and/or make optional several dependencies in Zend\Feed and Zend\Validator. While these are generally backwards compatible, we need to note that you can no longer directly use Zend\I18n\Translator\Translator with validators; instead, you must use Zend\Mvc\I18n\Translator. In most cases, this will not present an issue, as the translator object is generally injected via the ValidatorPluginManager, which has already been updated to inject the correct translator object.

    If you were manually injecting your validators with a translator object, please note that you must now use Zend\Mvc\I18n\Translator.

    The changes have some immediate benefits: you can now use Zend\Feed with third-party HTTP clients!

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release sometime next week.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.2.0rc1! Packages and installation instructions are available at:

This is a release candidate. It is not the final release, and while stability is generally considered good, there may still be issues to resolve between now and the stable release. Use in production with caution.

DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

Changes in this version

  • Addition of many more plugin managers and abstract service factories. In order to simplify usage of the ServiceManager as an Inversion of Control container, as well as to provide more flexibility in and consistency in how various framework components are consumed, a number of plugin managers and service factories were created and enabled.

    Among the various plugin managers created are Translator loader manager, a Hydrator plugin manager (allowing named hydrator instances), and an InputFilter manager.

    New factories include a Translator service factory, and factories for both the Session configuration and SessionManager.

    New abstract factories include one for the DB component (allowing you to manage multiple named adapters), Loggers (for having multiple Logger instances), Cache storage (for managing multiple cache backends), and Forms (which makes use of the existing FormElementsPluginManager, as well as the new Hydrator and InputFilter plugin managers).

  • Data Definition Language (DDL) support in Zend\Db. DDL provides the ability to create, alter, and drop tables in a relational database system. Zend\Db now offers abstraction around DDL, and specifically MySQL and ANSI SQL-92; we will gradually add this capability for the other database vendors we support.

  • Authentication: The DB adapter now supports non-RDBMS credential validation.
  • Cache: New storage backend: Redis.
  • Code: The ClassGenerator now has a removeMethod() method.
  • Console: Incremental improvements to layout and colorization of banners and usage messages; fixes for how literal and non-literal matches are returned.
  • DB: New DDL support (noted earlier); many incremental improvements.
  • Filter: New DateTimeFormatter filter.
  • Form: Many incremental improvements to selected elements; new FormAbstractServiceFactory for defining form services; minor improvements to make the form component work with the DI service factory.
  • InputFilter: new CollectionInputFilter for working with form Collections; new InputFilterPluginManager providing integration and services for the ServiceManager.
  • I18n: We removed ext/intl as a hard requirement, and made it only a suggested requirement; the Translator has an optional dependency on the EventManager, providing the ability to tie into "missing message" and "missing translations" events; new country-specific PhoneNumber validator.
  • ModuleManager: Now allows passing actual Module instances (not just names).
  • Navigation: Incremental improvements, particularly to URL generation.
  • MVC: You can now configure the initial set of MVC event listeners in the configuration file; the MVC stack now detects generic HTTP responses when detecting event short circuiting; the default ExceptionStrategy now allows returning JSON; opt-in translatable segment routing; many incremental improvements to the AbstractRestfulController to make it more configurable and extensible; the Forward plugin was refactored to no longer require a ServiceLocatorAware controller, and instead receive the ControllerManager via its factory.
  • Paginator: Support for TableGateway objects.
  • ServiceManager: Incremental improvements; performance optimizations; delegate factories, which provide a way to write factories for objects that replace a service with a decorator; "lazy" factories, allowing the ability to delay factory creation invocation until the moment of first use.
  • Stdlib: Addition of a HydratorAwareInterface; creation of a HydratorPluginManager.
  • SOAP: Major refactor of WSDL generation to make it more maintainable.
  • Validator: New Brazilian IBAN format for IBAN validator; validators now only return unique error messages; improved Maestro detection in CreditCard validator.
  • Version: use the ZF website API for finding the latest version, instead of GitHub.
  • View: Many incremental improvements, primarily to helpers; deprecation of the Placeholder Registry and removal of it from the implemented placeholder system; new explicit factory classes for helpers that have collaborators (making them easier to override/replace).

Changelog

Almost 200 patches were applied for 2.2.0. We will not release a full changelog until we create the stable release. In the meantime, you can view a full set of patches applied for 2.2.0 in the 2.2.0 milestone on GitHub:

Other Announcements

Around a month ago, we migrated Zend Framework 1 to GitHub. At that time, we also migrated active issues created since 1.12.0 to the GitHub issue tracker, and marked our self-hosted issue tracker read-only. We have decided to turn off that issue tracker, but still retain the original issues at their original locations for purposes of history and transparency. You can find information on the change on our issues landing page.

Thank You!

Please join me in thanking everyone who provided new features and code improvements for this upcoming 2.2.0 release!

Roadmap

We plan to release additional RCs every 3-5 days until we feel the 2.2.0 release is generally stable; we anticipate a stable release in the next 2-3 weeks.

During the RC period, we will be expanding on documentation, and fixing any critical issues brought to our attention.

Again, DO please test your applications on this RC, as we would like to ensure that it remains backwards compatible, and that the migration path is smooth.

The Zend Framework community is pleased to announce the immediate availability of Zend Framework 2.1.5! Packages and installation instructions are available at:

This is a monthly maintenance release.

Notable changes

2.1.5 is a monthly maintenance release, and the bulk of issues resolved were primarily centered around code maintainability - docblocks typos were corrected, internal variables renamed more semantically, etc. However, a few changes are notable:

Manual improvements

Last month, we held our first documentation hunt, resulting in a lot of documentation improvements.

Additionally, we began an effort to provide Zend Framework 1 -> Zend Framework 2 migration information. A preview is available on readthedocs.org.

Changelog

Almost 100 patches were applied to the ZF2 codebase, and dozens to the documentation. The full changelog for 2.1.5 is available:

Thank You!

I'd like to thank everyone who provided issue reports, typo fixes, maintenance improvements, bugfixes, and documentation improvements; your efforts make the framework increasingly better!

Roadmap

Maintenance releases happen monthly on the third Wednesday. Version 2.2.0 will release in the first half of May, with the first release candidate dropping during the week of 29 April - 3 May 2013.