CVE-2019-7164

Priority
Description
SQLAlchemy through 1.2.17 and 1.3.x through 1.3.0b2 allows SQL Injection
via the order_by parameter.
Notes
 mdeslaur> since 1.0, sqlalchemy issues a warning when text() is omitted
 mdeslaur> this fix for this issue turns the warning into an error
 mdeslaur> since this change may break existing applications, it may not
 mdeslaur> get fixed, marking priority as low
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 19.04 (Disco Dingo):needed
Ubuntu 19.10 (Eoan):needed
Patches:
Upstream:https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
More Information

Updated: 2019-09-19 14:54:11 UTC (commit d32ebc32606b9517c6fa7d65a15441e2a57a6de5)