[SECURITY] [DLA 1692-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1692-1] phpmyadmin security update
From: Sylvain Beucler <beuc@beuc.net>
Date: Wed, 27 Feb 2019 14:58:38 +0100
Message-id: <[🔎] 20190227135838.dakjv2ngova6jgtn@mail.beuc.net>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : phpmyadmin
Version        : 4:4.2.12-2+deb8u5
CVE ID         : CVE-2019-6799
Debian Bug     : 920823


An information leak issue was discovered in phpMyAdmin. An attacker
can read any file on the server that the web server's user can
access. This is related to the mysql.allow_local_infile PHP
configuration. When the AllowArbitraryServer configuration setting is
set to false (default), the attacker needs a local MySQL account. When
set to true, the attacker can exploit this with the use of a rogue
MySQL server.

For Debian 8 "Jessie", this problem has been fixed in version
4:4.2.12-2+deb8u5.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAlx2ll4ACgkQj/HLbo2J
BZ9uwwgAioP4kzTcsHE2yIA4ZdW96aszHsyv8vqReg+ir4MtRodhRvlA/tAszdz2
ov0DThc43uUEGBYCASpUYY8r5lD8EeCLLKkrZwanW4zvNF7m4few4JwfvZoWIMRw
PeB1mnkSF7dg0qPC+4OLRuaYgfyMeLSDIVJbmNlFfUYxK/0t1XvqTBUpPupgjPnv
uZw8OJzhjdaq5R/FaCR+gs5fD9f3CNy4lKPoGv0MVOCqaMW/2/AqvIEMTkjbNDmp
hzQfS/n8k5FPkfev8KfBaWBDn+y78FbZZQ81oqwzK5bRyyU2PMa8SnJldJgITOo7
oq2uNscdwfJnhTpIvbPfxKCrSFJ5kQ==
=CJqr
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1691-1] exiv2 security update
Next by Date: [SECURITY] [DLA 1693-1] gpac security update
Previous by thread: [SECURITY] [DLA 1691-1] exiv2 security update
Next by thread: [SECURITY] [DLA 1693-1] gpac security update
Index(es):
- Date
- Thread