Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 288899 (CVE-2009-3696) - <dev-db/phpmyadmin-{2.11.9.6, 3.2.2.1}: SQLi, XSS (CVE-2009-{3696,3697})
Summary: <dev-db/phpmyadmin-{2.11.9.6, 3.2.2.1}: SQLi, XSS (CVE-2009-{3696,3697})
Status: RESOLVED FIXED
Alias: CVE-2009-3696
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://www.phpmyadmin.net/home_page/n...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-13 16:31 UTC by Alex Legler (RETIRED)
Modified: 2010-06-11 16:34 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-13 16:31:06 UTC
Welcome to phpMyAdmin 2.11.9.6, a security release. The PMASA-2009-6 security
advisory will follow soon on http://www.phpmyadmin.net/home_page/security/. 

2.11.9.6 (2009-10-12)
- [security] XSS and SQL injection, thanks to Herman van Rink

(http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/2.11.9.6/phpMyAdmin-2.11.9.6-notes.html)

Same for 3.x at http://dfn.dl.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.2.2.1/phpMyAdmin-3.2.2.1-notes.html
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-13 16:41:40 UTC
Arches, please test and mark stable:
=dev-db/phpmyadmin-2.11.9.6
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-13 16:42:00 UTC
For the record:

+*phpmyadmin-3.2.2.1 (13 Oct 2009)
+*phpmyadmin-2.11.9.6 (13 Oct 2009)
+
+  13 Oct 2009; Alex Legler <a3li@gentoo.org> -phpmyadmin-2.11.9.4.ebuild,
+  +phpmyadmin-2.11.9.6.ebuild, -phpmyadmin-3.2.0.1.ebuild,
+  -phpmyadmin-3.2.2.ebuild, +phpmyadmin-3.2.2.1.ebuild:
+  Non-maintainer commit: Version bump for security bug 288899. Removing
+  unneded vulnerable versions.
+
Comment 3 Richard Freeman gentoo-dev 2009-10-15 01:23:42 UTC
amd64 stable
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-10-16 10:45:32 UTC
x86 stable
Comment 5 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-16 13:46:06 UTC
Stable for HPPA.
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-10-16 17:55:31 UTC
Stable on alpha.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-16 20:42:11 UTC
CVE-2009-3696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3696):
  Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before
  2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject
  arbitrary web script or HTML via a crafted name for a MySQL table.

CVE-2009-3697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3697):
  SQL injection vulnerability in the PDF schema generator functionality
  in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows
  remote attackers to execute arbitrary SQL commands via unspecified
  interface parameters.

Comment 8 Brent Baude (RETIRED) gentoo-dev 2009-10-31 13:14:23 UTC
ppc64 done
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2009-10-31 14:49:04 UTC
sparc stable
Comment 10 nixnut (RETIRED) gentoo-dev 2009-11-21 18:55:48 UTC
ppc stable
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2009-12-18 02:02:11 UTC
Vote: no, as phpmyadmin should be protected properly (hidden dir, htaccess, ip-filter etc.) and is well-known for having a long security history.
Comment 12 Tobias Heinlein (RETIRED) gentoo-dev 2010-06-11 16:34:37 UTC
NO too, closing.