- Update to 1.7.5

- Added UPDATING entry about incompatibility between 1.7.4 and 1.7.5
- Added vuln.xml entry for local file inclusion vulnerability in <1.7.5
- Added maintainer mode target in ZF Makefile to speed up fixups of
  pkg-plist output from genplist

Security:	cf495fd4-fdcd-11dd-9a86-0050568452ac
Security:	http://framework.zend.com/issues/browse/ZF-5748
Security:	http://weierophinney.net/matthew/archives/206-Zend-Framework-1.7.5-Released-Important-Note-Regarding-Zend_View.html

1 files changed, 20 insertions, 0 deletions

diff --git a/UPDATING b/UPDATING
index 531ff0a73d82..520891ed7b4a 100644
--- a/UPDATING
+++ b/UPDATING
@@ -6,6 +6,26 @@ You should get into the habit of checking this file for changes each
 time you update your ports collection, before attempting any port
 upgrades.
 
+20090218:
+  AFFECTS: users of www/zend-framework
+  AUTHOR: glarkin@FreeBSD.org
+
+  A local file inclusion (LFI) vulnerability was fixed in Zend
+  Framework 1.7.5. The LFI was present in the Zend_View::render()
+  method, and allowed inclusion of scripts with relative path
+  names, e.g. "../../../my/script/dir/myscript.php".
+
+  If the script path name is hard-coded into the application and is not
+  generated by user input, the vulnerability does not apply. Because
+  of this exception, the Zend Framework team has added a flag to
+  disable the LFI protection in the render() method.
+
+  Full details of the vulnerability, whether it applies to your
+  application and how to disable the LFI protection in the render()
+  method can be found here:
+
+  http://framework.zend.com/manual/en/zend.view.migration.html
+
 20090216:
   AFFECTS: users of net/openldap24-{client,server}
   AUTHOR: delphij@FreeBSD.org