CVE-2016-4861

NameCVE-2016-4861
DescriptionThe (1) order and (2) group methods in Zend_Db_Select in the Zend Framework before 1.12.20 might allow remote attackers to conduct SQL injection attacks by leveraging failure to remove comments from an SQL statement before validation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-1403-1, DLA-646-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
zendframework (PTS)jessie, jessie (lts)1.12.9+dfsg-2+deb8u7fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
zendframeworksourcewheezy1.11.13-1.1+deb7u5DLA-646-1
zendframeworksourcejessie1.12.9+dfsg-2+deb8u7DLA-1403-1
zendframeworksource(unstable)1.12.20+dfsg-1

Notes

http://framework.zend.com/security/advisory/ZF2016-03
This security fix can be considered an improvement of the previous ZF2016-02
and ZF2014-04 advisories.
Fixed by: https://github.com/zendframework/zf1/commit/b1c71dd94296d9000127720c85a7ea9e3b35af4b (1.12.20)
Search for package or bug name: Reporting problems