[SECURITY] [DLA 551-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 551-1] phpmyadmin security update
From: Ola Lundqvist <opal@debian.org>
Date: Sun, 17 Jul 2016 22:43:12 +0200
Message-id: <[🔎] 20160717204312.GA20031@inguza.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 4:3.4.11.1-2+deb7u5
CVE ID         : CVE-2016-5731 CVE-2016-5733 CVE-2016-5739

Phpmyadmin, a web administration tool for MySQL, had several
Cross Site Scripting (XSS) vulnerabilities were reported.

CVE-2016-5731

    With a specially crafted request, it is possible to trigger
    an XSS attack through the example OpenID authentication script.

CVE-2016-5733

    Several XSS vulnerabilities were found with the Transformation
    feature.
    Also a vulnerability was reported allowing a specifically-
    configured MySQL server to execute an XSS attack.
    This particular attack requires configuring the MySQL server
    log_bin directive with the payload.

CVE-2016-5739

    A vulnerability was reported where a specially crafted
    Transformation could be used to leak information including
    the authentication token. This could be used to direct a
    CSRF attack against a user.

For Debian 7 "Wheezy", these problems have been fixed in version
4:3.4.11.1-2+deb7u5.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26  0A6A 5E90 DCFA 9426 876F /
 ---------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJXi+3gAAoJEF6Q3PqUJodvh6kP+wVOKcqTwDQ1h/bzHn9gSKTV
Gp2Q56sxfkRFvxNBJMVvDeqp51Nf0Cjssy/n5sg+B4TVkFbPHpr311xAzbgSmt5c
A6yxlorYUtzcwfEVfy2JUBwNAoSN0TCs1VGPf0hoA+vFCIwDvDon4LiZMCGMow4H
bU/ViRuw9oRtYMLBqSPeZlNlaWMz7qCzc62gg+ljGE8fRw4OwyieAoMFDFQXy2Fd
xh1k7zYFvxgR8EUzsDzkyunyJNHNcJ2KVJRPEANbITc6ufOIsov4NMFhhpCZrtiF
nEI8c4Mqh446AyzZirE+kmvqzvuTBYg17cmexqpiohwNSJglEfiRYsNGDfbvNQ8+
0CUpokM2f8Ss2GyKY0XZm6g7nRXrQE6hUSrLuVphh9sDeGqXsVPW+6IR8G5RBJ7K
p9ND4Av7yGp7alb4vG+QSAXLniUBUs47soqeO5a6mDpgS1haLv0cBngdcOQYRAhF
NfxC5wi+OvVUg6SmHd+HmR7YnSpSdZynyVORge8u/6F++JMFy5Bf+NMhajmlpx9u
zVSrMFmXXZ70g84bDMSQMbCJWl75dLjdSTrBr3yeK+0Jskrshh8pz1RxLgIoeNl8
eT4ui39ClKt4icmr7JwkS0boSxnXp2Evr2Bqn7CaoJaPk7LJG4BYOY42sP4JO2IB
nP5aczKcZPDyAQ2+fcsd
=fme8
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 549-1] ruby-eventmachine security update
Next by Date: [SECURITY] [DLA 552-1] binutils security update
Previous by thread: [SECURITY] [DLA 549-1] ruby-eventmachine security update
Next by thread: [SECURITY] [DLA 552-1] binutils security update
Index(es):
- Date
- Thread