Debian Security Advisory
DLA-2413-1 phpmyadmin -- LTS security update
- Date Reported:
- 26 Oct 2020
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 971999, Bug 972000.
In Mitre's CVE dictionary: CVE-2019-19617, CVE-2020-26934, CVE-2020-26935.
- More information:
Several vulnerabilities were found in package phpmyadmin.
phpMyAdmin does not escape certain Git information, related to libraries/classes/Display/GitRevision.php and libraries/classes /Footer.php.
A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.
An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.
For Debian 9 stretch, these problems have been fixed in version 4.6.6-4+deb9u2.
We recommend that you upgrade your phpmyadmin packages.
For the detailed security status of phpmyadmin please refer to its security tracker page at: https://security-tracker.debian.org/tracker/phpmyadmin
Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS