[SECURITY] [DLA 406-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 406-1] phpmyadmin security update
From: Antoine Beaupré <anarcat@debian.org>
Date: Sat, 30 Jan 2016 17:52:45 -0500
Message-id: <[🔎] 20160130225245.GA13100@angela.anarcat.ath.cx>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 4:3.3.7-11
CVE ID         : CVE-2016-2039 CVE-2016-2041

Several flaws were discovered in the CSRF authentication code of
phpMyAdmin.

CVE-2016-2039

    The XSRF/CSRF token is generated with a weak algorithm using
    functions that do not return cryptographically secure values.

CVE-2016-2041

    The comparison of the XSRF/CSRF token parameter with the value saved
    in the session is vulnerable to timing attacks. Moreover, the
    comparison could be bypassed if the XSRF/CSRF token matches a
    particular pattern.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJWrT66AAoJEHkhUlJ7dZIeeSEQAIIX0RJhSJjWn+STUNTvGvhC
T/MJKnPUX4mScBgPsRajFUkoVwgNMg8JM2DrVmTbAUU/FG11u94B/BJcaJXAVJFA
ZMBQyDpVWGSe8r4W4oJLFLWlD9cq6Xac/1x4A6nr5TIzGDTOz+ocol9iat7zpGQk
RHJQPBB2jnTJP75oMdzW8pV9jGxTzrGCGRQOXTJncTb24EdqA9UqzqAE7DTbOmEc
vvqFgUsmNciQYwRpWNfvPFUZB6I3jTqyjtKibRjoweDqWswm67CN3ND5+RDfo8yF
L8kZPU2mnRV1VZX+VwGPbkC/YXzGtLk922BJ9q+yMwO7RPN49zQoY4yGKv1Qfz5K
ta2XW1FHMACFP1qpn5YN44v7iL1/NT0U+O72BxECure1YvjMrWXyy0XX3ngjVIVP
e8SgxuT0BWT7A7eHfrOS/AfRja0OXh1oxBPE3DzxwEr2ZbbmjyGexaiza9aM7ZgT
Ju2WZ1IPlXRIH3DBrC9NitwXzwGwNRlovCtiTZcrBJy+7GMYlFE6jnaUfTqtNnro
SFVXYm3wYD0OLM1sR76Zz4trbqo1nrDXewVkO+bj3evhSM/8Gdc62vXD74IffnFC
rWFinWk3t1/yg9roeeOBohT2d4VcZSuwP2zcvEZCnDq3BnsN933J6VYdyVmD4OYV
SVSLOJ6/ciJ7W9IrUf1m
=SFDs
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 405-1] tiff security update
Next by Date: [SECURITY] [DLA 407-1] prosody security update
Previous by thread: [SECURITY] [DLA 405-1] tiff security update
Next by thread: [SECURITY] [DLA 407-1] prosody security update
Index(es):
- Date
- Thread