Two new mini releases of Zend Framework, 1.9.8 and 1.10.3, are now available for download. The reason for a double release resides in the discovering of a potential security issue in the bundled JavaScript library, the Dojo Toolkit.

The Dojo security threat

After a general code review in March, the Dojo foundation announced a security advisory about the presence of some PHP and html files in the standard builds of Dojo. While specific exploits that take advantage of the execution of these PHP scripts are not known at this time, they are unnecessary to run Dojo and can potentially serve as an attack vector.

Please note that this issue affects you only if your Zend Framework applications use the Dojo Toolkit with the build included in a framework release or a custom one. If you refer to the Google or AOL CDNs, which publicly host the JavaScript files, the builds have already been fixed and you can set the Zend_Dojo component to a new version in the ones suggested in the announcement. The outsourcing of hosting on the cloud has once again proved useful, with the new Dojo releases already deployed at the time of the public announcement.

You can fix the security issues by upgrading to one of these two new releases, according to your preferred branch (1.9 or 1.10). You can also fix the build by grabbing your build from a Dojo official package.

Zend Framework releases

Zend takes security threats very seriously too, and the updated builds have brought a release for the current 1.10 branch, which incorporates also 80 bugfixes, and one for the previous 1.9 branch, which only updates the Dojo build.

In the 1.10.3 changelog, you can see that the main components whose issues have been resolved are Zend_Cache, Zend_Form and Zend_Validate. As in every mini release, backward compatibility is maintained and no new functionality has been introduced.

It is a good practice to upgrade your applications gradually by staying in touch with the new releases of the framework, and having a set of integration tests that catch regressions introduced by the new release. While Zend Framework itself has a large test suite, you have to make sure that applications and the framework conform to the same contract, which can slightly change after every release as the result of the framework’s evolution.