Fedora: 2015-7708 Critical Update: php-ZendFramework2 CRLF Injection Threat

Zend Framework 2 is an open source framework for developing web applications

and services using PHP 5.3+. Zend Framework 2 uses 100% object-oriented code

and utilizes most of the new features of PHP 5.3, namely namespaces, late

static binding, lambda functions and closures.

Zend Framework 2 evolved from Zend Framework 1, a successful PHP framework

with over 15 million downloads.

Note: This meta package installs all base Zend Framework component packages

(Authentication, Barcode, Cache, Captcha, Code, Config, Console, Crypt, Db,

Debug, Di, Dom, Escaper, EventManager, Feed, File, Filter, Form, Http, I18n,

InputFilter, Json, Ldap, Loader, Log, Mail, Math, Memory, Mime, ModuleManager,

Mvc, Navigation, Paginator, Permissions-Acl, Permissions-Rbac, ProgressBar,

Serializer, Server, ServiceManager, Session, Soap, Stdlib, Tag, Test, Text,

Uri, Validator, Version, View, XmlRpc) except the optional Cache-apc and

Cache-memcached packages.

* **ZF2015-04**: Zend\Mail and Zend\Http were both susceptible to CRLF Injection Attack vectors (for HTTP, this is often referred to as HTTP Response Splitting). Both components were updated to perform header value validations to ensure no values contain characters not detailed in their corresponding specifications, and will raise exceptions on detection. Each also provides new facilities for both validating and filtering header values prior to injecting them into header classes. If you use either Zend\Mail or Zend\Http (which includes users of Zend\Mvc), we recommend upgrading immediately.