https://www.phpmyadmin.net/security/PMASA-2016-1 https://www.phpmyadmin.net/security/PMASA-2016-2 https://www.phpmyadmin.net/security/PMASA-2016-3 https://www.phpmyadmin.net/security/PMASA-2016-4 https://www.phpmyadmin.net/security/PMASA-2016-5 https://www.phpmyadmin.net/security/PMASA-2016-6 https://www.phpmyadmin.net/security/PMASA-2016-7 https://www.phpmyadmin.net/security/PMASA-2016-8 https://www.phpmyadmin.net/security/PMASA-2016-9
18:21 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Security bump and subsequent bugfix update - fixes bug 573286.
(In reply to Jorge Manuel B. S. Vicetto from comment #1) and now there's no stable version ?
(In reply to Toralf Förster from comment #2) > (In reply to Jorge Manuel B. S. Vicetto from comment #1) > and now there's no stable version ? 21:09 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Restore last stable version - dropped it by mistake. Apologies, that was done by mistake. @arch teams: Can you please add stable keywords for =dev-db/phpmyadmin-4.0.10.14 =dev-db/phpmyadmin-4.4.15.4 =dev-db/phpmyadmin-4.5.4.1 Desired keywords: KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"
Stable on alpha.
amd64 stable
Stable for HPPA PPC64.
x86 stable
ppc stable
sparc stable. Maintainer(s), please cleanup.
14:29 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Drop vulnerable version - fixes bug 573286. 14:29 < willikins> gentoovcs: https://bugs.gentoo.org/573286 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security Cleanup done.
CVE-2016-2045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2045): Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a SQL query that triggers JSON data in a response. CVE-2016-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2044): libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2016-2043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2043): Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. CVE-2016-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2042): phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. CVE-2016-2041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2041): libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2040): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. CVE-2016-2039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2039): libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2038): phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message.
GLSA Vote: No