Wil, On Fri, Mar 20, 2009 at 3:40 PM, Wil Sinclair <w...@zend.com> wrote:
> Good question. We will not be incrementing the release number. This might > cause confusion for 2 reasons: no release was actually built and offered on > the site, and it would blur our policy of leaving old releases branches > completely behind. Obviously we’re making an exception for security patches > on the second point, although as a community we should really be putting the > effort in to testing BC so that few people will have to take advantage of > this update method. So, for these reasons, we’d prefer to use the patch > convention: 1.7.7-p1, for example. > > > > Matthew will be creating a p2 tag later today, and may create a p1 tag next > week (there shouldn’t be anyone who should need this tag at this point + it > is complicated by the commit order of the backports). > That is great, thanks! It seems more appropriate for me to use a tag in my svn:externals so that I know exactly what codebase I'm getting and it doesn't change on me until I make the decision (I know, I could just specify the revision number). I can understand why you'd want to use the patch convention to make it clear that you're not supporting that branch anymore (except for security patches) - definitely makes sense to me. > > > As always, thanks for the feedback! > Of course! Thanks, Bradley > > > ,Wil > > > > > > *From:* Bradley Holt [mailto:bradley.h...@foundline.com] > *Sent:* Friday, March 20, 2009 12:22 PM > *To:* Wil Sinclair > *Cc:* fw-general@lists.zend.com > *Subject:* Re: [fw-general] SECURITY ADVISORY > > > > Wil, > > We have one project that is running on a client's RHEL server and are using > ZF 1.6.2 due to compatibility issues. I see that these fixes have been > backported to the release-1.6 branch but no new tag was created (the last > tag in 1.6 is 1.6.2 last updated on 10/12/2008). Wouldn't it be appropriate > to create a new 1.6.3 tag with this backported fix? If not, I can simply > switch my svn:externals to use the branch instead of a tag but it just seems > more appropriate for me to use tags instead of branches in my svn:externals. > > Thanks, > Bradley > > On Thu, Mar 19, 2009 at 4:56 PM, Wil Sinclair <w...@zend.com> wrote: > > The Zend Framework team was recently notified of an XSS attack vector in > its Zend_Filter_StripTags class. Zend_Filter_StripTags offers the ability to > strip HTML tags from text, but also to selectively choose which tags and > specific attributes of those tags to keep. > > > > The XSS attack vector was due to a bug in matching HTML tag attributes to > retain. If whitespace was introduced surrounding the attribute assignment > operator or the value included newline characters, the attribute would > always be included in the final output- even if it was not marked to retain. > > > > A security fix has been created and released with Zend Framework 1.7.7. > > > > Additionally, the fix has been back-ported to the 1.6, 1.5, and 1.0 release > branches. > > > > The Zend Framework team strongly recommends upgrading to version 1.7.7. If > you cannot upgrade at this time, we recommend exporting from the release > branch matching the minor release you are currently using, or downloading > the file listed below and pushing it into your Zend Framework installation. > > > > > http://framework.zend.com/svn/framework/standard/branches/release-1.7/library/Zend/Filter/StripTags.php > > > > Thank you. > > > > ,Wil > > > > > > > -- > Bradley Holt > bradley.h...@foundline.com > -- Bradley Holt bradley.h...@foundline.com