From ${URL} : PMASA-2015-6 Announcement-ID: PMASA-2015-6 Date: 2015-12-25 Summary Full path disclosure vulnerability Description By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. Severity We consider these vulnerabilities to be non-critical. Mitigation factor This path disclosure is possible on servers where the recommended setting of the PHP configuration directive display_errors is set to on, which is against the recommendations given in the PHP manual for a production server. Affected Versions Versions 4.0.x (prior to 4.0.10.12), 4.4.x (prior to 4.4.15.2) and 4.5.x (prior to 4.5.3.1) are affected. Solution Upgrade to phpMyAdmin 4.0.10.12 or newer, 4.4.15.2 or newer, 4.5.3.1 or newer or apply patch listed below. References Thanks to Do9gy of Tencent Security for reporting this issue. Assigned CVE ids: 2015-8669 CWE ids: CWE-661 CWE-200 Patches The following commits have been made on the 4.0 branch to fix this issue: f79d30dd98e02411e33367b01af86d4125630792 The following commits have been made on the 4.4 branch to fix this issue: 583cb1ede5f8c81bf3f5cf90a8d1b9d8e62ae6ad The following commits have been made on the 4.5 branch to fix this issue: c4d649325b25139d7c097e56e2e46cc7187fae45 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
12:34 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Version bump (CVE-2015-8669) - fixes bug 569800. 12:34 < willikins> gentoovcs: https://bugs.gentoo.org/569800 "dev-db/phpmyadmin: path disclosure"; Gentoo Security, Vulnerabilities; IN_P; ago:security Bump done. @arch teams: Requested KEYWORDS= alpha amd64 hppa ppc ppc64 sparc x86" =dev-db/phpmyadmin-4.4.15.2 =dev-db/phpmyadmin-4.5.3.1
amd64 stable
Stable for HPPA PPC64.
sparc stable
alpha stable
ppc stable
x86 done, last arch!
No GLSA, closing, thanks everyone.
