The download URL was incorrect -- correct URL is http://framework.zend.com/download/latest
-- Matthew Weier O'Phinney <matt...@zend.com> wrote (on Monday, 20 August 2012, 04:21 PM -0500): > The Zend Framework community announces the immediate availability of > both 1.11.13 and 1.12.0rc4. > > Downloads for both versions are available at: > > http://framework.zend.com/downloads/latest > > > SECURITY NOTICE FOR 1.11.13 AND 1.12.0RC4 > ----------------------------------------- > > Several components were found to contain additional XML eXternal Entity > (XXE) injection vulnerabilities (in addition to the XML-RPC component > patched in 1.11.12). Additionally, we identified several potential XML > Entity Expansion (XEE) vectors. XEE attacks occur when the XML doctype > declaration contains XML entity definitions; these attacks usually result > in recursion, which consumes CPU and memory resources, making Denial of > Service (DoS) attacks easier to implement. > > The patches in 1.11.13 and 1.12.0rc4 close both XXE and XEE > vulnerabilities found in the framework. The former are mitigated by > ensuring libxml_disable_entity_loader is called before any SimpleXML > calls are executed; the latter are mitigated by looping through the > DOMDocument instance and checking for XML_DOCUMENT_TYPE_NODE children, > raising an exception if any are found (in cases where SimpleXML is used, > loading the XML via DOMDocument first, and then passing the object to > simplexml_import_dom). > > The following components were patched: > > - Zend_Dom > - Zend_Feed > - Zend_Soap > - Zend_XmlRpc > > Thanks goes to Pádraic Brady for identifying and patching these vectors. > > If you are using any of the above components, we highly recommend > upgrading to 1.11.13 or later immediately. > > -- > Matthew Weier O'Phinney > Project Lead | matt...@zend.com > Zend Framework | http://framework.zend.com/ > PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc > -- Matthew Weier O'Phinney Project Lead | matt...@zend.com Zend Framework | http://framework.zend.com/ PGP key: http://framework.zend.com/zf-matthew-pgp-key.asc -- List: fw-general@lists.zend.com Info: http://framework.zend.com/archives Unsubscribe: fw-general-unsubscr...@lists.zend.com