Date: Wed, 30 Sep 2015 16:23:31 +0200 From: Alessandro Ghedini <alessandro@...dini.me> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org Subject: Re: CVE Request: zendframework SQL injections On Wed, Sep 30, 2015 at 12:55:45PM +0200, Alessandro Ghedini wrote: > Hello, > > the Zendframework project released the following advisory: > > > ZF2015-08: Potential SQL injection vector using null byte for PDO (MsSql, SQLite) > http://framework.zend.com/security/advisory/ZF2015-08 > > The patch for the MS SQL backend seems to be: > https://github.com/zendframework/zf1/commit/2ac9c30f73ec2e6235c602bed745749a551b4fe2 > > but I couldn't find the fix for the mentioned SQLite backend. It was pointed out to me that that patch also includes changes for the file library/Zend/Db/Adapter/Pdo/Abstract.php, which is used by the SQLite backend. So it should cover both MS SQL *and* SQLite. Cheers [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ