Fabian Lange
The end of maintenance of symfony 1.2 is approaching and originally I was planning to release the last supported version live from the symfony live conference 2010. However a XSS bug discovered made me releasing this earlier. I hope you appreciate the fixes delivered today and upgrade your projects to close the security issue. Unless there are any major issues with symfony 1.2 in the next days, this will be the final release for the 1.2 branch.
I heavily encourage you to upgrade your projects to symfony 1.3, which should be very easy. Even better would be if you could upgrade to 1.4, getting rid of deprecated code and preparing your projects for future evolution of the framework. The project:validate tasks was optimized to deliver even better support in doing so.
The security fix
A cross-site scripting (XSS) vulnerability was discovered in the form framework's widget classes that render collections of radio buttons or checkboxes and their labels. This hole has been closed.
How to install
Please upgrade your existing projects by updating the reference to the 1.2.11 subversion tag or by running the PEAR upgrade command:
$ pear upgrade symfony/symfony-1.2.11
If you use the 1.2 branch from our SVN repository, just run the svn update command to upgrade your project.
Last but not least, don't forget to clear your cache by running for doctrine:
$ php symfony doctrine:build-model
$ php symfony doctrine:build-forms
$ php symfony doctrine:build-filters
$ php symfony cache:clear
or when using propel:
$ php symfony propel:build-model
$ php symfony propel:build-forms
$ php symfony propel:build-filters
$ php symfony cache:clear
#sfLive2010
I will be attending the symfony live, and be ready to answer any kind of questions, along with the other core devs during the conference or the panel on Tuesday. I will also tweet from time to time using #sflive2010 hashtag. Looking forward to seeing you in Paris