SQL injection vulnerability in the SQL comment filtering system in the Database API in Drupal 7.x before 7.39 allows remote attackers to execute arbitrary SQL commands via an SQL comment.
https://www.drupal.org/SA-CORE-2015-003
http://www.securitytracker.com/id/1033358
http://www.securityfocus.com/bid/76432
http://www.debian.org/security/2015/dsa-3346
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165840.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165733.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165723.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165704.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-September/165690.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165061.html