Debian Security Advisory

DLA-646-1 zendframework -- LTS security update

Date Reported:
05 Oct 2016
Affected Packages:
Security database references:
In Mitre's CVE dictionary: CVE-2016-4861.
More information:
  • CVE-2016-4861

    The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.

For Debian 7 Wheezy, these problems have been fixed in version 1.11.13-1.1+deb7u5.

We recommend that you upgrade your zendframework packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: