Debian Security Advisory
DLA-326-1 zendframework -- LTS security update
- Date Reported:
- 15 Oct 2015
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2015-7695.
- More information:
The PDO adapters of Zend Framework 1 did not filter null bytes values in SQL statements. A PDO adapter can treat null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
For Debian 6 Squeeze, this issue has been fixed in zendframework version 1.10.6-1squeeze6.