Summary: | <dev-db/phpmyadmin-4.6.6: multiple vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Thomas Deutschmann (RETIRED) <whissi> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | jmbsvicetto, web-apps |
Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.phpmyadmin.net/news/2017/1/23/phpmyadmin-466-441510-and-401019-are-released/ | ||
Whiteboard: | B3 [noglsa] | ||
Package list: |
=dev-db/phpmyadmin-4.6.6 alpha amd64 hppa ppc ppc64 sparc x86
|
Runtime testing required: | --- |
Description
Thomas Deutschmann (RETIRED)
2017-01-24 01:25:01 UTC
21:42 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin: Security releases - 4.0.10.19, 4.4.15.10, 4.6.6 (PMASA-2017-{1-7}) - bug 606972. 21:42 < willikins> gentoovcs: https://bugs.gentoo.org/606972 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; whissi:security https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b8991c824deb93164638bef8097efe94ed764a0 @arch teams: please mark stable dev-db/phpmyadmin-4.6.6 Requested KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86" To avoid any confusion, although by mistake I mentioned the 4.4.15.10 release, I did not add it to the tree - only to my overlay. My apologies for not "fixing" the commit message. PMASA-2017-1 It was possible to trick phpMyAdmin to redirect to insecure using special request path. All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected PMASA-2017-2 The php-gettext library can suffer to code execution. However there is no way to trigger this inside phpMyAdmin. phpMyAdmin is not vulberable, we're just fixing bug in embedded library which can not be exploited within phpMyAdmin. PMASA-2017-3 It was possible to trigger recursive include operation by crafter parameters when editing table data. All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected. PMASA-2017-4 It was possible to cause CSS injection in themes by crafted cookie parameters. All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected. PMASA-2017-5 A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18. All 4.6.x versions (prior to 4.6.6) are affected amd64 stable x86 stable Stable on alpha. Stable for HPPA PPC64. ppc stable GLSA Vote: No sparc stable. Maintainer(s), please cleanup. Repository is clean, all done. |