Debian Security Advisory
DLA-646-1 zendframework -- LTS security update
- Date Reported:
- 05 Oct 2016
- Affected Packages:
- Security database references:
- In Mitre's CVE dictionary: CVE-2016-4861.
- More information:
The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone to SQL injection when a combination of SQL expressions and comments were used. This security patch provides a comprehensive solution that identifies and removes comments prior to checking validity of the statement to ensure no SQLi vectors occur.
For Debian 7
Wheezy, these problems have been fixed in version 1.11.13-1.1+deb7u5.
We recommend that you upgrade your zendframework packages.
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS