CVE-2016-4861

NameCVE-2016-4861
DescriptionThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1403-1, DLA-646-1
NVD severityhigh (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zendframework (PTS)jessie1.12.9+dfsg-2+deb8u6vulnerable
jessie (security)1.12.9+dfsg-2+deb8u7fixed
sid1.12.20+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksource(unstable)1.12.20+dfsg-1high
zendframeworksourcejessie1.12.9+dfsg-2+deb8u7highDLA-1403-1
zendframeworksourcewheezy1.11.13-1.1+deb7u5highDLA-646-1

Notes

http://framework.zend.com/security/advisory/ZF2016-03
This security fix can be considered an improvement of the previous ZF2016-02
and ZF2014-04 advisories.
Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20)

Search for package or bug name: Reporting problems