Bump zendframework/zendframework from 2.5.1 to 2.5.3

Open dependabot[bot] opened this issue 2 years ago • 0 comments

Bumps zendframework/zendframework from 2.5.1 to 2.5.3.

Release notes

Sourced from zendframework/zendframework's releases.

Zend Framework 2.5.3

#7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

Zend Framework 2.5.2

SECURITY UPDATES

ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Changelog

Sourced from zendframework/zendframework's changelog.

2.5.3 (2016-01-27)

#7665 updates component version constraints from ~2.5.0 to ^2.5 to ensure the latest security updates are always installed.

2.5.2 (2015-08-03)

SECURITY UPDATES

ZF2015-06: ZendXml runs a heuristic detection for XML Entity Expansion and XML eXternal Entity vectors when under php-fpm, due to issues with threading in libxml preventing using that library's built-in mechanisms for disabling them. However, the heuristic was determined to be faulty when multibyte encodings are used for the XML. This release contains a patch to ensure that the heuristic will work with multibyte encodings.

If you use Zend Framework components that utilize DOMDocument or SimpleXML (which includes Zend\XmlRpc, Zend\Soap, Zend\Feed, and several others), and deploy using php-fpm in production (or plan to), we recommend upgrading immediately.

Commits

aeb432d Merge branch 'feature/looser-constraints'
83f3d17 Added CHANGELOG for #7665
c2300cc Updated dependencies to ^2.5
0993994 Merge branch 'release-2.5'
6babe86 Update zendxml to ^1.0.1
926de5b Merge pull request #7612 from radarhere/patch-1
efb17a2 Fixed typo
096d3df Merge pull request #7576 from campersau/patch-1
cc5cea4 update latest CHANGELOG.md with correct zf version
72a9689 Merge branch 'version/bump'
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page.

Aug 03 '23 21:08 dependabot[bot]