Debian: DSA-3627-1: phpmyadmin security update

    Date24 Jul 2016
    CategoryDebian
    29
    Posted ByLinuxSecurity Advisories
    Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface. CVE-2016-1927
    
    - -------------------------------------------------------------------------
    Debian Security Advisory DSA-3627-1                   This email address is being protected from spambots. You need JavaScript enabled to view it.
    https://www.debian.org/security/                          Thijs Kinkhorst
    July 24, 2016                         https://www.debian.org/security/faq
    - -------------------------------------------------------------------------
    
    Package        : phpmyadmin
    CVE ID         : CVE-2016-1927 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041 
                     CVE-2016-2560 CVE-2016-2561 CVE-2016-5099 CVE-2016-5701
                     CVE-2016-5705 CVE-2016-5706 CVE-2016-5731 CVE-2016-5733
                     CVE-2016-5739
    
    Several vulnerabilities have been fixed in phpMyAdmin, the web-based
    MySQL administration interface.
    
    CVE-2016-1927
    
        The suggestPassword function relied on a non-secure random number
        generator which makes it easier for remote attackers to guess
        generated passwords via a brute-force approach.
    
    CVE-2016-2039
    
        CSRF token values were generated by a non-secure random number
        genrator, which allows remote attackers to bypass intended access
        restrictions by predicting a value.
    
    CVE-2016-2040
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        authenticated users to inject arbitrary web script or HTML.
    
    CVE-2016-2041
    
        phpMyAdmin does not use a constant-time algorithm for comparing
        CSRF tokens, which makes it easier for remote attackers to bypass
        intended access restrictions by measuring time differences.
    
    CVE-2016-2560
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-2561
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-5099
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-5701
    
        For installations running on plain HTTP, phpMyAdmin allows remote
        attackers to conduct BBCode injection attacks against HTTP sessions
        via a crafted URI.
    
    CVE-2016-5705
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-5706
    
        phpMyAdmin allows remote attackers to cause a denial of service
        (resource consumption) via a large array in the scripts parameter.
    
    CVE-2016-5731
    
        A cross-site scripting (XSS) vulnerability allows remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-5733
    
        Multiple cross-site scripting (XSS) vulnerabilities allow remote
        attackers to inject arbitrary web script or HTML.
    
    CVE-2016-5739
    
        A specially crafted Transformation could leak information which
        a remote attacker could use to perform cross site request forgeries.
    
    For the stable distribution (jessie), these problems have been fixed in
    version 4:4.2.12-2+deb8u2.
    
    For the unstable distribution (sid), these problems have been fixed in
    version 4:4.6.3-1.
    
    We recommend that you upgrade your phpmyadmin packages.
    
    Further information about Debian Security Advisories, how to apply
    these updates to your system and frequently asked questions can be
    found at: https://www.debian.org/security/
    
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    Do you read our distribution advisories on a regular basis?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /component/communitypolls/?task=poll.vote&format=json
    23
    radio
    [{"id":"84","title":"Yes, for a single distribution","votes":"0","type":"x","order":"1","pct":0,"resources":[]},{"id":"85","title":"Yes, for multiple distributions","votes":"6","type":"x","order":"2","pct":60,"resources":[]},{"id":"86","title":"No","votes":"4","type":"x","order":"3","pct":40,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.