| Name | CVE-2016-4861 |
| Description | The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-1403-1, DLA-646-1 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| zendframework | source | wheezy | 1.11.13-1.1+deb7u5 | DLA-646-1 | ||
| zendframework | source | jessie | 1.12.9+dfsg-2+deb8u7 | DLA-1403-1 | ||
| zendframework | source | (unstable) | 1.12.20+dfsg-1 |
http://framework.zend.com/security/advisory/ZF2016-03
This security fix can be considered an improvement of the previous ZF2016-02
and ZF2014-04 advisories.
Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20)