Debian Long Term Support / LTS Security Information / 2016 / Security Information -- DLA-646-1 zendframework

Debian Security Advisory

DLA-646-1 zendframework -- LTS security update

Date Reported:

05 Oct 2016

Affected Packages:

zendframework

Vulnerable:

Yes

Security database references:

In Mitre's CVE dictionary: CVE-2016-4861.

More information:

• CVE-2016-4861

  The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.

For Debian 7 Wheezy, these problems have been fixed in version 1.11.13-1.1+deb7u5.

We recommend that you upgrade your zendframework packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS