Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 573286 - <dev-db/phpmyadmin-{4.0.10.15,4.4.15.5,4.5.5.1}: multiple vulnerabilities (CVE-2016-{2038,2039,2040,2041,2042,2043,2044,2045})
Summary: <dev-db/phpmyadmin-{4.0.10.15,4.4.15.5,4.5.5.1}: multiple vulnerabilities (CV...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-01-29 09:13 UTC by Agostino Sarubbo
Modified: 2016-07-06 04:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-02-08 18:22:40 UTC 
18:21 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Security bump and subsequent bugfix update - fixes bug 573286.
Comment 2 Toralf Förster gentoo-dev 2016-02-08 18:43:49 UTC 
(In reply to Jorge Manuel B. S. Vicetto from comment #1)
and now there's no stable version ?
Comment 3 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-02-08 21:16:12 UTC 
(In reply to Toralf Förster from comment #2)
> (In reply to Jorge Manuel B. S. Vicetto from comment #1)
> and now there's no stable version ?

21:09 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Restore last stable version - dropped it by mistake.

Apologies, that was done by mistake.

@arch teams:

Can you please add stable keywords for
=dev-db/phpmyadmin-4.0.10.14
=dev-db/phpmyadmin-4.4.15.4
=dev-db/phpmyadmin-4.5.4.1

Desired keywords:
KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2016-02-09 14:54:42 UTC 
Stable on alpha.
Comment 5 Richard Freeman gentoo-dev 2016-02-10 23:21:32 UTC 
amd64 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2016-02-12 07:23:43 UTC 
Stable for HPPA PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2016-03-15 16:40:03 UTC 
x86 stable
Comment 8 Agostino Sarubbo gentoo-dev 2016-03-16 14:11:18 UTC 
ppc stable
Comment 9 Agostino Sarubbo gentoo-dev 2016-03-19 12:30:32 UTC 
sparc stable.

Maintainer(s), please cleanup.
Comment 10 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-03-19 14:30:53 UTC 
14:29 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Drop vulnerable version - fixes bug 573286.
14:29 < willikins> gentoovcs: https://bugs.gentoo.org/573286 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security

Cleanup done.
Comment 11 GLSAMaker/CVETool Bot gentoo-dev 2016-06-30 11:55:29 UTC 
CVE-2016-2045 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2045):
  Cross-site scripting (XSS) vulnerability in the SQL editor in phpMyAdmin
  4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web
  script or HTML via a SQL query that triggers JSON data in a response.

CVE-2016-2044 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2044):
  libraries/sql-parser/autoload.php in the SQL parser in phpMyAdmin 4.5.x
  before 4.5.4 allows remote attackers to obtain sensitive information via a
  crafted request, which reveals the full path in an error message.

CVE-2016-2043 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2043):
  Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in
  js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before
  4.5.4 allows remote authenticated users to inject arbitrary web script or
  HTML via a table name to the normalization page.

CVE-2016-2042 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2042):
  phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote
  attackers to obtain sensitive information via a crafted request to (1)
  libraries/phpseclib/Crypt/AES.php or (2)
  libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an
  error message.

CVE-2016-2041 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2041):
  libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before
  4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for
  comparing CSRF tokens, which makes it easier for remote attackers to bypass
  intended access restrictions by measuring time differences.

CVE-2016-2040 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2040):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
  before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote
  authenticated users to inject arbitrary web script or HTML via a (1) table
  name, (2) SET value, (3) search query, or (4) hostname in a Location header.

CVE-2016-2039 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2039):
  libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before
  4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token
  values, which allows remote attackers to bypass intended access restrictions
  by predicting a value.

CVE-2016-2038 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2038):
  phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before
  4.5.4 allows remote attackers to obtain sensitive information via a crafted
  request, which reveals the full path in an error message.
Comment 12 Aaron Bauman (RETIRED) gentoo-dev 2016-06-30 11:58:26 UTC 
GLSA Vote: No