An SQL injection flaw was found in the Zend Framework when PDO_MySql and non-ASCII-compatible encodings were used together (such as GBK, but not UTF8 or latin1) ,.
Upstream has corrected this flaw in Zend Framework 1.11.6 and 1.10.9.
1.11.6 is currently in Fedora testing:
I'll close this as soon as I pushed 1.11.6 to stable on all branches.
(In reply to comment #2)
> I'll close this as soon as I pushed 1.11.6 to stable on all branches.
Fantastic. Thank you!
Updates have been pushed. Should hit the mirrors within the next few days.