[SECURITY] [DLA 757-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 757-1] phpmyadmin security update
From: Ola Lundqvist <opal@debian.org>
Date: Sat, 24 Dec 2016 23:29:29 +0100
Message-id: <[🔎] 20161224222928.GA2552@inguza.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 4:3.4.11.1-2+deb7u7
CVE ID         : CVE-2016-4412 CVE-2016-6626 CVE-2016-9849 CVE-2016-9850
                 CVE-2016-9861 CVE-2016-9864 CVE-2016-9865

Various security issues where found and fixed in phpmyadmin in wheezy.

CVE-2016-4412 / PMASA-2016-57

    A user can be tricked in following a link leading to phpMyAdmin, which
    after authentication redirects to another malicious site.

CVE-2016-6626 / PMASA-2016-49

    In the fix for PMASA-2016-57, we didn't have sufficient checking and was
    possible to bypass whitelist.

CVE-2016-9849 / PMASA-2016-60

    Username deny rules bypass (AllowRoot & Others) by using Null Byte.

CVE-2016-9850 / PMASA-2016-61

    Username matching for the allow/deny rules
    may result in wrong matches and detection of the username in the rule due
    to non-constant execution time.

CVE-2016-9861 / PMASA-2016-66

    In the fix for PMASA-2016-49, we has buggy checks and was possible to
    bypass whitelist.

CVE-2016-9864 / PMASA-2016-69

    Multiple SQL injection vulnerabilities.

CVE-2016-9865 / PMASA-2016-70

    Due to a bug in serialized string parsing, it was possible to bypass the
    protection offered by PMA_safeUnserialize() function.

For Debian 7 "Wheezy", these problems have been fixed in version
4:3.4.11.1-2+deb7u7.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJYXvbIAAoJEF6Q3PqUJodv0JsP/2XsKDhUDjY14qqJj/RyQGk3
8jryj1bvqYNLrvjUiIF/RtfZiMICWfeFUH9cpf/iHdUVfVsBvmeTiLupCdkwQ9e7
lEupoK8gutIqkb5LdcTRwAF0GVFV0CMXkPXav/PIDs2M5Qb2GHGmvS1PVZn/rbBX
ejzDBThe5Kjb/A1Frm16LsM3PZX8EzHjcNLPtZgeyree27ShW4lnjZJLdHuuJOZe
2Pj+tNncPytRyNkBcYeyMeCXRKtLc0j3HtNS+EW6SZiifRCr07dgh2rKz0onnq/Q
kDxDCL1ypgSytt3qV3e4DRUW9iarZEHZa1zd+gJm4528QyyKogakkfShmXd898sh
TZX4rGVdrNI+baXO3zYOglFMoEgk/3uVcJaM6RpCD0ueIpK0A5pntVw4WVxObhcn
2blFNNezLn0THsTjKj7yBR34P8S8bd2iWTG5iH8Ie0TGgj6goCfKKoMhikoVcCE2
pdWz39uf7Idqc2VNDJZVaAJrIlo0IfZqm0I/C2nuinaT9gNtndeOKw2Q7WhmD6tH
VCPWAF0yrvC7Vz725KdoluF/mWbXchkriijTPjl+HLfjA/FSbeUhss45cN1/ZOZU
mXxBnTT5BmuUmKNgYKB6Iy59mAIYtAQajqoYUSyinNdLEQRK9Vn5lL2BhToGvVJU
aydDuht8pz9h90GTxM1u
=H1fj
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 761-1] python-bottle security update
Next by Date: [SECURITY] [DLA 760-1] spip security update
Previous by thread: [SECURITY] [DLA 761-1] python-bottle security update
Next by thread: [SECURITY] [DLA 760-1] spip security update
Index(es):
- Date
- Thread