[SECURITY] [DLA 2154-1] phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2154-1] phpmyadmin security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sun, 22 Mar 2020 23:10:22 +0530
Message-id: <[🔎] 5bd8ce27-8aa5-fc4c-3b3c-2b9a9fee9b21@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 4:4.2.12-2+deb8u9
CVE ID         : CVE-2020-10802 CVE-2020-10803
Debian Bug     : 954665 954666


The following packages CVE(s) were reported against phpmyadmin.

CVE-2020-10802

    In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability
    has been discovered where certain parameters are not properly
    escaped when generating certain queries for search actions in
    libraries/classes/Controllers/Table/TableSearchController.php.
    An attacker can generate a crafted database or table name. The
    attack can be performed if a user attempts certain search
    operations on the malicious database or table.

CVE-2020-10803

    In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability
    was discovered where malicious code could be used to trigger
    an XSS attack through retrieving and displaying results (in
    tbl_get_field.php and libraries/classes/Display/Results.php).
    The attacker must be able to insert crafted data into certain
    database tables, which when retrieved (for instance, through the
    Browse tab) can trigger the XSS attack.

For Debian 8 "Jessie", these problems have been fixed in version
4:4.2.12-2+deb8u9.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl53ov0ACgkQgj6WdgbD
S5YgrxAA2FTrERHInMSbJk7vfUmCRCMgfN/Pj2y7uUuPk1dr8P4Z8tJCPnoZTe+n
fZV0L1LsflwNhMWaPfqoQRM8UplLZyr1mi5IA7CK8BQIMPEA89l/b+npZ3uitJEk
VacGqKEmvooeRFQHw7D+1KiaLzhwHs85f0z38DpjQU7ScKBZKrIjhpLOyMrApd05
W4cGXH9H6EIoWmj10A5VXvQyumsUtCJdjboU+1hrXx5VBQX/ASklPSlElZ7dHnOl
B+h3PiMl3Sme3+2qEw/rDDeujtuKIXVOd+b+IVCo0EyutSe4DvPUnTiha7ZsAKXD
WWUgLCLCImL3tCyeD1Ff8vT95Uxz1PKlp+GjppSmflsbbfZ2GAC+rwxD29CbrthP
i7FGsCrnNyJvXkj9QwoW+vJ6bGfUmk1UWGVXVNyE1rXugHVHqjr2L9fdFV2/eVA9
n3zOUBwf/i+7KImjeE8I+R1xlRqIf7eRDMbUsFoH+5C02T8zQ7bBtLB80W/2Ls9p
udRYjzIi31WSF+IG+rWzxEiqI1RzZlQOca1daY3dm9nLJlxmheC9FcJAzsWRz7wx
NiaejMAtSWpT++HBlNKwAP/kNcJrxs/YnGDLyuu3biXSJFjsYk5Cpu5TDz9YCAwX
aZjjIC9apWm+1/aGwQJdlUx0fkinlgMuLN+ERO8uO61qWobr+V0=
=MN5i
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2153-1] jackson-databind security update
Next by Date: [SECURITY] [DLA 2155-1] tomcat8 security update
Previous by thread: [SECURITY] [DLA 2153-1] jackson-databind security update
Next by thread: [SECURITY] [DLA 2155-1] tomcat8 security update
Index(es):
- Date
- Thread