Bug 303761 (CVE-2009-4605)

Summary:	<=dev-db/phpmyadmin-2.11.10 CSRF (CVE-2009-4605)
Product:	Gentoo Security	Reporter:	Stefan Behte (RETIRED) <craig>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	erwan, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_11/phpMyAdmin/scripts/setup.php?r1=13149&r2=13148&pathrev=13149
Whiteboard:	B3 [noglsa]
Package list:		Runtime testing required:	---

Description Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:36:52 UTC

CVE-2009-4605 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4605):
  scripts/setup.php (aka the setup script) in phpMyAdmin 2.11.x before
  2.11.10 calls the unserialize function on the values of the (1)
  configuration and (2) v[0] parameters, which might allow remote
  attackers to conduct cross-site request forgery (CSRF) attacks via
  unspecified vectors.

Comment 1 Stefan Behte (RETIRED) gentoo-dev

2010-02-06 15:37:37 UTC

Hi webapps, please provide an updated newbuild.

Comment 2 Tobias Heinlein (RETIRED) gentoo-dev

2010-06-11 17:14:13 UTC

Bumped on behalf of security.

Arches, please test and mark stable:
=dev-db/phpmyadmin-2.11.10
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"

Comment 3 Christian Faulhammer (RETIRED) gentoo-dev

2010-06-12 14:23:52 UTC

x86 stable, I am back.

Comment 4 Jeroen Roovers (RETIRED) gentoo-dev

2010-06-13 17:04:18 UTC

Stable for HPPA.

Comment 5 Raúl Porcel (RETIRED) gentoo-dev

2010-06-20 18:09:05 UTC

alpha/sparc stable

Comment 6 Markus Meier gentoo-dev

2010-06-21 20:18:22 UTC

amd64 stable

Comment 7 Joe Jezak (RETIRED) gentoo-dev

2010-07-18 20:24:59 UTC

Marked ppc/ppc64 stable.

Comment 8 Stefan Behte (RETIRED) gentoo-dev

2010-08-01 12:39:18 UTC

Vote: no!

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev

2010-08-14 14:40:38 UTC

NO too, closing.