CVE-2016-4861

NameCVE-2016-4861
DescriptionThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1403-1, DLA-646-1
NVD severityhigh

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksourcewheezy1.11.13-1.1+deb7u5DLA-646-1
zendframeworksourcejessie1.12.9+dfsg-2+deb8u7DLA-1403-1
zendframeworksource(unstable)1.12.20+dfsg-1

Notes

http://framework.zend.com/security/advisory/ZF2016-03
This security fix can be considered an improvement of the previous ZF2016-02
and ZF2014-04 advisories.
Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20)

Search for package or bug name: Reporting problems