[SECURITY] [DLA 626-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 626-1] phpmyadmin security update
From: Ola Lundqvist <opal@debian.org>
Date: Sat, 17 Sep 2016 23:19:36 +0200
Message-id: <[🔎] 20160917211936.GA24271@inguza.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 3.4.11.1-2+deb7u6
CVE ID         : CVE-2016-6606 CVE-2016-6607 CVE-2016-6609 CVE-2016-6611
                 CVE-2016-6612 CVE-2016-6613 CVE-2016-6614 CVE-2016-6620
                 CVE-2016-6622 CVE-2016-6623 CVE-2016-6624 CVE-2016-6630
                 CVE-2016-6631

Phpmyadmin, a web administration tool for MySQL, had several
vulnerabilities reported.

CVE-2016-6606

    A pair of vulnerabilities were found affecting the way cookies are
    stored.

    The decryption of the username/password is vulnerable to a padding
    oracle attack. The can allow an attacker who has access to a user's
    browser cookie file to decrypt the username and password.

    A vulnerability was found where the same initialization vector
    is used to hash the username and password stored in the phpMyAdmin
    cookie. If a user has the same password as their username, an
    attacker who examines the browser cookie can see that they are the
    same — but the attacker can not directly decode these values from
    the cookie as it is still hashed.

CVE-2016-6607

    Cross site scripting vulnerability in the replication feature

CVE-2016-6609

    A specially crafted database name could be used to run arbitrary PHP
    commands through the array export feature.

CVE-2016-6611

    A specially crafted database and/or table name can be used to trigger
    an SQL injection attack through the SQL export functionality.

CVE-2016-6612

    A user can exploit the LOAD LOCAL INFILE functionality to expose
    files on the server to the database system.

CVE-2016-6613

    A user can specially craft a symlink on disk, to a file which
    phpMyAdmin is permitted to read but the user is not, which
    phpMyAdmin will then expose to the user.

CVE-2016-6614

    A vulnerability was reported with the %u username replacement
    functionality of the SaveDir and UploadDir features. When the
    username substitution is configured, a specially-crafted user name
    can be used to circumvent restrictions to traverse the file system.

CVE-2016-6620

    A vulnerability was reported where some data is passed to the PHP
    unserialize() function without verification that it's valid
    serialized data. Due to how the PHP function operates,
    unserialization can result in code being loaded and executed due to
    object instantiation and autoloading, and a malicious user may be
    able to exploit this.
    Therefore, a malicious user may be able to manipulate the stored
    data in a way to exploit this weakness.

CVE-2016-6622

    An unauthenticated user is able to execute a denial-of-service
    attack by forcing persistent connections when phpMyAdmin is running
    with $cfg['AllowArbitraryServer']=true;.

CVE-2016-6623

    A malicious authorized user can cause a denial-of-service attack
    on a server by passing large values to a loop.

CVE-2016-6624

    A vulnerability was discovered where, under certain circumstances,
    it may be possible to circumvent the phpMyAdmin IP-based
    authentication rules.
    When phpMyAdmin is used with IPv6 in a proxy server environment,
    and the proxy server is in the allowed range but the attacking
    computer is not allowed, this vulnerability can allow the attacking
    computer to connect despite the IP rules.

CVE-2016-6630

    An authenticated user can trigger a denial-of-service attack by
    entering a very long password at the change password dialog.

CVE-2016-6631

    A vulnerability was discovered where a user can execute a remote
    code execution attack against a server when phpMyAdmin is being
    run as a CGI application. Under certain server configurations,
    a user can pass a query string which is executed as a
    command-line argument by shell scripts.

For Debian 7 "Wheezy", these problems have been fixed in version
3.4.11.1-2+deb7u6.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -- 
 --------------------- Ola Lundqvist ---------------------------
/  opal@debian.org                     Folkebogatan 26          \
|  ola@inguza.com                      654 68 KARLSTAD          |
|  http://inguza.com/                  +46 (0)70-332 1551       |
\  gpg/f.p.: 22F2 32C6 B1E0 F4BF 2B26  0A6A 5E90 DCFA 9426 876F /
 ---------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJX3bNoAAoJEF6Q3PqUJodvFHYP/1AExuJc1420mKWBn1zaQ0Jc
UcrbstglsIPf9jwMZhfMm8wG1FnbTDycDdh1W2kFQL3Pmn0Fyr7K5i+ji/1M93sG
lefmKxu4zenWpCS7nFxOff/ykIO6xSb2baMYUh0LyAZxqyWiWk1/E/4OVA50kC3H
0DnxLF3cdxV4Lw0kUend7Of2JOZUN52UcXtQMmEhYGptbfiQ84ec5ghgI+gE79wL
JYTkPyijLBpues1i9IIB8dZzdByJu1I+gH7POhSIBKJP+U0sYgxCPJE8oXBLk/eZ
lFLu1WtAwvf0szOpQZ2ubexUH+1CvePWSxO7tbYzJKuMkQ8quasGShHEe//dz5Ho
eYBG4+2XgzuHojgIAmlSV1mbEHHAkZ6/HBnQHR7XoppuRZ6MdrPaUGwFF9E+prC0
mb1MQNKiHJ+HDNq84ZLeRjKWDFVNf2LnrOJC137eiFQSqjBtrxAZfSOYciMVDeCK
jJpNHi8FnkJ/rh63bilRyTdLsGswH9ROTLH8/5MTK6Fjk01R4hVnSq3kg8/MMifp
Nf+pZIA6HkJXclD9DCiBlJ3+xBmd/GTTJiOEeWzWeyWIrLK7Ih6o9g4jlF3CvaN1
nNIipB4QDRsbCl8xIVagVcRWSZMr9SamQpLm3fx4z21vDZeY5pag4j77lFGv+5M+
H36F1poVW3YFGJmcq3a/
=1pA+
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 625-1] curl security update
Next by Date: [SECURITY] [DLA 627-1] pdns security update
Previous by thread: [SECURITY] [DLA 625-1] curl security update
Next by thread: [SECURITY] [DLA 627-1] pdns security update
Index(es):
- Date
- Thread