Bug 215502 (CVE-2008-1567)

Summary:	dev-db/phpmyadmin <2.11.5.1 Local session data disclosure (CVE-2008-1567)
Product:	Gentoo Security	Reporter:	Hanno Böck <hanno>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	mysql-bugs, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Hanno Böck gentoo-dev

2008-03-30 23:22:12 UTC

Advisory from phpmyadmin:

Summary:
Credentials disclosure on shared hosts via session data

Description:
We received an advisory from Jim Hermann, and we wish to thank him for his work. phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host.

2.11.5.1 fixes this, please bump.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-04-01 13:10:00 UTC

*** Bug 215692 has been marked as a duplicate of this bug. ***

Comment 2 Benedikt Böhm (RETIRED) gentoo-dev

2008-04-03 09:00:08 UTC

2.11.5.1 in portage

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-04-03 09:57:17 UTC

Arches, please test and mark stable:
=dev-db/phpmyadmin-2.11.5.1
Target keywords : "alpha amd64 hppa ppc ppc64 release sparc x86"

Comment 4 Markus Rothe (RETIRED) gentoo-dev

2008-04-03 19:22:59 UTC

ppc64 stable

Comment 5 Markus Meier gentoo-dev

2008-04-03 19:52:42 UTC

amd64/x86 stable

Comment 6 Jeroen Roovers (RETIRED) gentoo-dev

2008-04-06 14:43:49 UTC

Stable for HPPA.

Comment 7 Tobias Scherbaum (RETIRED) gentoo-dev

2008-04-06 20:22:30 UTC

ppc stable

Comment 8 Raúl Porcel (RETIRED) gentoo-dev

2008-04-07 20:20:41 UTC

alpha/sparc stable

Comment 9 Peter Volkov (RETIRED) gentoo-dev

2008-04-08 05:37:16 UTC

Fixed in release snapshot.