Debian Security Advisory

DLA-326-1 zendframework -- LTS security update

Date Reported:
15 Oct 2015
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2015-7695.
More information:

The PDO adapters of Zend Framework 1 did not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.

For Debian 6 Squeeze, this issue has been fixed in zendframework version 1.10.6-1squeeze6.