Debian Long Term Support / LTS Security Information / 2015 / Security Information -- DLA-326-1 zendframework

Debian Security Advisory

DLA-326-1 zendframework -- LTS security update

Date Reported:

15 Oct 2015

Affected Packages:

zendframework

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2015-7695.

More information:

The PDO adapters of Zend Framework 1 did not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

For Debian 6 Squeeze, this issue has been fixed in zendframework version 1.10.6-1squeeze6.