- ------------------------------------------------------------------------ Debian Security Advisory DSA-2097-1 This email address is being protected from spambots. You need JavaScript enabled to view it. https://www.debian.org/security/ Thijs Kinkhorst August 29, 2010 https://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : phpmyadmin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-3055 CVE-2010-3056 Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny5. For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: https://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz Size/MD5 checksum: 2870014 075301d16404c2d7d58216efc14f7a50 https://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5.dsc Size/MD5 checksum: 1548 157a4c31a2bb6cd6b3fe514103a9d163 https://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5.diff.gz Size/MD5 checksum: 73780 6b2c2c93159973911fed8513c91dc7d1 Architecture independent packages: https://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5_all.deb Size/MD5 checksum: 2885996 2c4d27646253a7f5da105f26e22abb0d These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb https://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it. Package info: `apt-cache show' and https://packages.debian.org/
Debian: DSA-2097-1: New phpmyadmin packages fix several vulnerabilities
Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems:
