Advisories » MGASA-2016-0352

Updated php-ZendFramework packages fix security vulnerability

Publication date: 21 Oct 2016
Modification date: 21 Oct 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2016-4861

Description

The implementation of ORDER BY and GROUP BY in Zend_Db_Select remained prone
to SQL injection when a combination of SQL expressions and comments were used.
This security patch provides a comprehensive solution that identifies and
removes comments prior to checking validity of the statement to ensure no SQLi
vectors occur (CVE-2016-4861).
                

References

• https://bugs.mageia.org/show_bug.cgi?id=19548
• https://framework.zend.com/security/advisory/ZF2016-03
• https://framework.zend.com/blog/2016-09-08-ZF-1.12.20-Released.html
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4861

SRPMS

5/core

• php-ZendFramework-1.12.20-1.mga5