Zend Framework 1.7.5 as been released and there’s a security update in it.
The security announcement is:
The Zend Framework team has been notified of a potential Local File Inclusion (LFI) attack vector in Zend_View’s render() method. To address the issue, as of the 1.7.5 release the render() method no longer accepts paths that include parent directory traversal (e.g., “../” and “..\”) in the path argument. This introduces a regression in behavior which can be addressed by turning off the lfiProtectionOn flag. For more information, see:
If this advisory does not affect your applications, please disregard. We take security very seriously and will continue to notify all users when a security fault is discovered.
Matthew Weir O’Phinney has all the details about it if you are interested.
Download it now!