ELA-105-1 sqlalchemy security update

SQL Injection

Related CVE CVE-2019-7164 CVE-2019-7548

Two vulnerabilities were discovered in SQLALchemy, a Python SQL Toolkit and Object Relational Mapper.


SQLAlchemy allows SQL Injection via the order_by parameter.


SQLAlchemy allows SQL Injection when the group_by parameter can be controlled.

The SQLAlchemy project warns that these security fixes break the seldom-used text coercion feature.

For Debian 7 Wheezy, these problems have been fixed in version 0.7.8-1+deb7u1.

We recommend that you upgrade your sqlalchemy packages.

Further information about Extended LTS security advisories can be found at: https://deb.freexian.com/extended-lts/