news 28 Posted May 18, 2009 This is a multi-part message in MIME format... ------------=_1242658118-27111-3695 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2009:115 http://www.mandriva.com/security/ _______________________________________________________________________ Package : phpMyAdmin Date : May 18, 2009 Affected: Corporate 4.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities has been identified and corrected in phpMyAdmin: Multiple cross-site scripting (XSS) vulnerabilities in the export page (display_export.lib.php) in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allow remote attackers to inject arbitrary web script or HTML via the pma_db_filename_template cookie (CVE-2009-1150). Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x before 2.11.9.5 and 3.x before 3.1.3.1 allows remote attackers to inject arbitrary PHP code into a configuration file via the save action (CVE-2009-1151). This update provides phpMyAdmin 2.11.9.5, which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1150 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1151 http://www.phpmyadmin.net/home_page/security/PMASA-2009-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2009-3.php _______________________________________________________________________ Updated Packages: Corporate 4.0: 164497e66c148faf7c15cd8c3bf5f297 corporate/4.0/i586/phpMyAdmin-2.11.9.5-0.1.20060mlcs4.noarch.rpm daf52104b152a84c8afaaa27b6444144 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.5-0.1.20060mlcs4.src.rpm Corporate 4.0/X86_64: 5e3ce1455f31575daff865f6d909677b corporate/4.0/x86_64/phpMyAdmin-2.11.9.5-0.1.20060mlcs4.noarch.rpm daf52104b152a84c8afaaa27b6444144 corporate/4.0/SRPMS/phpMyAdmin-2.11.9.5-0.1.20060mlcs4.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFKEUo8mqjQ0CJFipgRAlL1AJ9Xgq7pjJks6GcBmfP3kY19ABKI5QCg5SSX 6aDnPWeYfBrI2ZWltHj0xEY= =Xf41 -----END PGP SIGNATURE----- ------------=_1242658118-27111-3695 Content-Type: text/plain; name="message-footer.txt" Content-Disposition: inline; filename="message-footer.txt" Content-Transfer-Encoding: 8bit To unsubscribe, send a email to sympa ( -at -) mandrivalinux.org with this subject : unsubscribe security-announce _______________________________________________________ Want to buy your Pack or Services from Mandriva? Go to http://www.mandrivastore.com Join the Club : http://www.mandrivaclub.com _______________________________________________________ ------------=_1242658118-27111-3695-- Share this post Link to post