Candidate: CVE-2016-6233
PublicDate: 2017-02-17 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6233
 http://framework.zend.com/security/advisory/ZF2016-02
Description:
 The (1) order and (2) group methods in Zend_Db_Select in the Zend Framework
 before 1.12.19 might allow remote attackers to conduct SQL injection
 attacks via vectors related to use of the character pattern [\w]* in a
 regular expression.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by: Peter O'Callaghan
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_php-zend-db:
 upstream: https://github.com/zendframework/zf1/commit/bf3f40605be3d8f136a07ae991079a7dcb34d967
upstream_php-zend-db: released (1.12.19)
precise_php-zend-db: DNE
precise/esm_php-zend-db: DNE
trusty_php-zend-db: DNE
trusty/esm_php-zend-db: DNE
vivid/stable-phone-overlay_php-zend-db: DNE
vivid/ubuntu-core_php-zend-db: DNE
wily_php-zend-db: ignored (reached end-of-life)
xenial_php-zend-db: ignored (end of standard support, was needed)
yakkety_php-zend-db: ignored (reached end-of-life)
zesty_php-zend-db: ignored (reached end-of-life)
artful_php-zend-db: ignored (reached end-of-life)
bionic_php-zend-db: not-affected (code not present)
cosmic_php-zend-db: not-affected (code not present)
disco_php-zend-db: DNE
eoan_php-zend-db: DNE
focal_php-zend-db: DNE
groovy_php-zend-db: DNE
hirsute_php-zend-db: DNE
impish_php-zend-db: DNE
jammy_php-zend-db: DNE
devel_php-zend-db: DNE