An SQL injection flaw was found in the Zend Framework when PDO_MySql and non-ASCII-compatible encodings were used together (such as GBK, but not UTF8 or latin1) [1],[2]. Upstream has corrected this flaw in Zend Framework 1.11.6 and 1.10.9. [1] http://framework.zend.com/security/advisory/ZF2011-02 [2] http://bugs.php.net/bug.php?id=47802
1.11.6 is currently in Fedora testing: http://koji.fedoraproject.org/koji/packageinfo?packageID=6585
I'll close this as soon as I pushed 1.11.6 to stable on all branches.
(In reply to comment #2) > I'll close this as soon as I pushed 1.11.6 to stable on all branches. Fantastic. Thank you!
Updates have been pushed. Should hit the mirrors within the next few days.