CVE-2016-4861

NameCVE-2016-4861
DescriptionThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1403-1, DLA-646-1

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksourcewheezy1.11.13-1.1+deb7u5DLA-646-1
zendframeworksourcejessie1.12.9+dfsg-2+deb8u7DLA-1403-1
zendframeworksource(unstable)1.12.20+dfsg-1

Notes

http://framework.zend.com/security/advisory/ZF2016-03
This security fix can be considered an improvement of the previous ZF2016-02
and ZF2014-04 advisories.
Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20)
Search for package or bug name: Reporting problems