Zend Framework 2.4.8

Security Update

• ZF2015-07: The filesystem storage adapter of Zend\Cache was creating directories with a liberal umask that could lead to local arbitrary code execution and/or local privilege escalation. This release contains a patch that ensures the directories are created using permissions of 0775 and files using 0664 (essentially umask 0002).

Bug fixed from upstream Changelog

• validate against DateTimeImmutable instead of DateTimeInterface
• treat 0.0 as non-empty, restoring pre-2.4 behavior
• deprecate "magic" logic for auto-attaching NonEmpty validators in favor of explicit attachment
• ensure fallback values work as per pre-2.4 behavior
• update the InputFilterInterface::add() docblock to match implementations
• Fix how missing optoinal fields are validated to match pre 2.4.0 behavior
• deprecate AllowEmpty and ContinueIfEmpty annotations, per zend-inputfilter#26
• fix typos in aria attribute names of AbstractHelper
• fixes the ContentType header to properly handle encoded parameter values
• fixes the Sender header to allow mailbox addresses without TLDs
• fixes parsing of messages that contain an initial blank line before headers
• fixes the SetCookie header to allow multiline values (as they are always encoded
• fixes DefaultRenderingStrategy errors due to controllers returning non-view model results