CVE-2019-7548

Priority
Description
SQLAlchemy 1.2.17 has SQL Injection when the group_by parameter can be
controlled.
Notes
mdeslaursince 1.0, sqlalchemy issues a warning when text() is omitted
this fix for this issue turns the warning into an error
since this change may break existing applications, it may not
get fixed, marking priority as low
Package
Upstream:needs-triage
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE (trusty was needed)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):needed
Ubuntu 20.04 LTS (Focal Fossa):not-affected (1.2.18+ds1-2ubuntu1)
Ubuntu 20.10 (Groovy Gorilla):not-affected (1.2.18+ds1-2ubuntu1)
Patches:
Upstream:https://github.com/sqlalchemy/sqlalchemy/commit/30307c4616ad67c01ddae2e1e8e34fabf6028414
More Information

Updated: 2020-09-09 23:30:52 UTC (commit 81a23a978c4436cd99e1d040e9e73e9146876281)