[security-announce] openSUSE-SU-2016:2168-1: important: Security update for phpMyAdmin

news · August 29, 2016

openSUSE Security Update: Security update for phpMyAdmin

______________________________________________________________________________

Announcement ID: openSUSE-SU-2016:2168-1

Rating: important

References: #994313

Cross-References: CVE-2016-6606 CVE-2016-6607 CVE-2016-6608

CVE-2016-6609 CVE-2016-6610 CVE-2016-6611

CVE-2016-6612 CVE-2016-6613 CVE-2016-6614

CVE-2016-6615 CVE-2016-6616 CVE-2016-6617

CVE-2016-6618 CVE-2016-6619 CVE-2016-6620

CVE-2016-6621 CVE-2016-6622 CVE-2016-6623

CVE-2016-6624 CVE-2016-6625 CVE-2016-6626

CVE-2016-6627 CVE-2016-6628 CVE-2016-6629

CVE-2016-6630 CVE-2016-6631 CVE-2016-6632

CVE-2016-6633

Affected Products:

openSUSE Leap 42.1

openSUSE 13.2

______________________________________________________________________________

An update that fixes 28 vulnerabilities is now available.

Description:

phpMyAdmin was updated to version 4.4.15.8 (2016-08-16) to fix the

following issues:

- Upstream changelog for 4.4.15.8:

* Improve session cookie code for openid.php and signon.php example files

* Full path disclosure in openid.php and signon.php example files

* Unsafe generation of BlowfishSecret (when not supplied by the user)

* Referrer leak when phpinfo is enabled

* Use HTTPS for wiki links

* Improve SSL certificate handling

* Fix full path disclosure in debugging code

* Administrators could trigger SQL injection attack against users

- other fixes

* Remove Swekey support

- Security fixes: https://www.phpmyadmin.net/security/

* Weaknesses with cookie encryption see PMASA-2016-29 (CVE-2016-6606,

CWE-661)

* Multiple XSS vulnerabilities see PMASA-2016-30 (CVE-2016-6607, CWE-661)

* Multiple XSS vulnerabilities see PMASA-2016-31 (CVE-2016-6608, CWE-661)

* PHP code injection see PMASA-2016-32 (CVE-2016-6609, CWE-661)

* Full path disclosure see PMASA-2016-33 (CVE-2016-6610, CWE-661)

* SQL injection attack see PMASA-2016-34 (CVE-2016-6611, CWE-661)

* Local file exposure through LOAD DATA LOCAL INFILE see PMASA-2016-35

(CVE-2016-6612, CWE-661)

* Local file exposure through symlinks with UploadDir see PMASA-2016-36

(CVE-2016-6613, CWE-661)

* Path traversal with SaveDir and UploadDir see PMASA-2016-37

(CVE-2016-6614, CWE-661)

* Multiple XSS vulnerabilities see PMASA-2016-38 (CVE-2016-6615, CWE-661)

* SQL injection vulnerability as control user see PMASA-2016-39

(CVE-2016-6616, CWE-661)

* SQL injection vulnerability see PMASA-2016-40 (CVE-2016-6617, CWE-661)

* Denial-of-service attack through transformation feature see

PMASA-2016-41 (CVE-2016-6618, CWE-661)

* SQL injection vulnerability as control user see PMASA-2016-42

(CVE-2016-6619, CWE-661)

* Verify data before unserializing see PMASA-2016-43 (CVE-2016-6620,

CWE-661)

* SSRF in setup script see PMASA-2016-44 (CVE-2016-6621, CWE-661)

* Denial-of-service attack with $cfg['AllowArbitraryServer'] = true and

persistent connections see PMASA-2016-45 (CVE-2016-6622, CWE-661)

* Denial-of-service attack by using for loops see PMASA-2016-46

(CVE-2016-6623, CWE-661)

* Possible circumvention of IP-based allow/deny rules with IPv6 and

proxy server see PMASA-2016-47 (CVE-2016-6624, CWE-661)

* Detect if user is logged in see PMASA-2016-48 (CVE-2016-6625, CWE-661)

* Bypass URL redirection protection see PMASA-2016-49 (CVE-2016-6626,

CWE-661)

* Referrer leak see PMASA-2016-50 (CVE-2016-6627, CWE-661)

* Reflected File Download see PMASA-2016-51 (CVE-2016-6628, CWE-661)

* ArbitraryServerRegexp bypass see PMASA-2016-52 (CVE-2016-6629, CWE-661)

* Denial-of-service attack by entering long password see PMASA-2016-53

(CVE-2016-6630, CWE-661)

* Remote code execution vulnerability when running as CGI see

PMASA-2016-54 (CVE-2016-6631, CWE-661)

* Denial-of-service attack when PHP uses dbase extension see

PMASA-2016-55 (CVE-2016-6632, CWE-661)

* Remove tode execution vulnerability when PHP uses dbase extension see

PMASA-2016-56 (CVE-2016-6633, CWE-661)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

- openSUSE Leap 42.1:

zypper in -t patch openSUSE-2016-1021=1

- openSUSE 13.2:

zypper in -t patch openSUSE-2016-1021=1

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE Leap 42.1 (noarch):

phpMyAdmin-4.4.15.8-25.1

- openSUSE 13.2 (noarch):

phpMyAdmin-4.4.15.8-39.1

References:

https://www.suse.com/security/cve/CVE-2016-6606.html

https://www.suse.com/security/cve/CVE-2016-6607.html

https://www.suse.com/security/cve/CVE-2016-6608.html

https://www.suse.com/security/cve/CVE-2016-6609.html

https://www.suse.com/security/cve/CVE-2016-6610.html

https://www.suse.com/security/cve/CVE-2016-6611.html

https://www.suse.com/security/cve/CVE-2016-6612.html

https://www.suse.com/security/cve/CVE-2016-6613.html

https://www.suse.com/security/cve/CVE-2016-6614.html

https://www.suse.com/security/cve/CVE-2016-6615.html

https://www.suse.com/security/cve/CVE-2016-6616.html

https://www.suse.com/security/cve/CVE-2016-6617.html

https://www.suse.com/security/cve/CVE-2016-6618.html

https://www.suse.com/security/cve/CVE-2016-6619.html

https://www.suse.com/security/cve/CVE-2016-6620.html

https://www.suse.com/security/cve/CVE-2016-6621.html

https://www.suse.com/security/cve/CVE-2016-6622.html

https://www.suse.com/security/cve/CVE-2016-6623.html

https://www.suse.com/security/cve/CVE-2016-6624.html

https://www.suse.com/security/cve/CVE-2016-6625.html

https://www.suse.com/security/cve/CVE-2016-6626.html

https://www.suse.com/security/cve/CVE-2016-6627.html

https://www.suse.com/security/cve/CVE-2016-6628.html

https://www.suse.com/security/cve/CVE-2016-6629.html

https://www.suse.com/security/cve/CVE-2016-6630.html

https://www.suse.com/security/cve/CVE-2016-6631.html

https://www.suse.com/security/cve/CVE-2016-6632.html

https://www.suse.com/security/cve/CVE-2016-6633.html

https://bugzilla.suse.com/994313

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

Sign In

[security-announce] openSUSE-SU-2016:2168-1: important: Security update for phpMyAdmin

Recommended Posts

news 28

Share this post

Link to post

Please sign in to comment

Browse

Activity