Summary: | <dev-db/phpmyadmin-{2.11.9.6, 3.2.2.1}: SQLi, XSS (CVE-2009-{3696,3697}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | web-apps |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.2.2.1_and_2.11.9.6_are_released | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Alex Legler (RETIRED)
2009-10-13 16:31:06 UTC
Arches, please test and mark stable: =dev-db/phpmyadmin-2.11.9.6 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" For the record: +*phpmyadmin-3.2.2.1 (13 Oct 2009) +*phpmyadmin-2.11.9.6 (13 Oct 2009) + + 13 Oct 2009; Alex Legler <a3li@gentoo.org> -phpmyadmin-2.11.9.4.ebuild, + +phpmyadmin-2.11.9.6.ebuild, -phpmyadmin-3.2.0.1.ebuild, + -phpmyadmin-3.2.2.ebuild, +phpmyadmin-3.2.2.1.ebuild: + Non-maintainer commit: Version bump for security bug 288899. Removing + unneded vulnerable versions. + amd64 stable x86 stable Stable for HPPA. Stable on alpha. CVE-2009-3696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3696): Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted name for a MySQL table. CVE-2009-3697 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3697): SQL injection vulnerability in the PDF schema generator functionality in phpMyAdmin 2.11.x before 2.11.9.6 and 3.x before 3.2.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified interface parameters. ppc64 done sparc stable ppc stable Vote: no, as phpmyadmin should be protected properly (hidden dir, htaccess, ip-filter etc.) and is well-known for having a long security history. NO too, closing. |