Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 560408 (CVE-2015-6830) - <dev-db/phpmyadmin-{4.3.13.3,4.4.14.1}: Bypassing the reCaptcha test (CVE-2015-6830)
Summary: <dev-db/phpmyadmin-{4.3.13.3,4.4.14.1}: Bypassing the reCaptcha test (CVE-201...
Status: RESOLVED FIXED
Alias: CVE-2015-6830
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B3 [noglsa/cve/]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-14 09:10 UTC by Agostino Sarubbo
Modified: 2015-11-28 21:27 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-09-14 09:10:46 UTC
From ${URL} :

A vulnerability allowing to complete reCaptcha test and subsequently perform a brute force attack 
to guess user credentials without having to complete further reCaptcha tests was found. This 
vulnerability only affects installations with reCaptcha test enabled. Affected versions are 4.3.x 
(prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1)

Upstream patches:
Fix for 4.3: 
https://github.com/phpmyadmin/phpmyadmin/commit/0314e67900f01410bc8c81c58a40dc0515e3c91d
Fix for 4.4: 
https://github.com/phpmyadmin/phpmyadmin/commit/785f4e2711848eb8945894199d5870253a88584e


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2015-09-18 18:56:14 UTC
18:49 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Bump phpmyadmin to releases 4.4.13.3, 4.4.14.1 and 4.5.0_rc1 - fixes bug 560408 (CVE-2015-6830).
18:49 < willikins> gentoovcs: https://bugs.gentoo.org/560408 "dev-db/phpmyadmin: Bypassing the reCaptcha test"; Gentoo Security, Vulnerabilities; IN_P; ago:security

Bump done.

(In reply to Agostino Sarubbo from comment #0)
> @maintainer(s): after the bump, in case we need to stabilize the package,
> please let us know if it is ready for the stabilization or not.

To be able to drop the old versions, we need to get newer versions marked stable.

I would like to get the following keywords:

KEYWORDS="alpha amd64 hppa ppc ppc64 sparc x86"

for these versions:

=dev-db/phpmyadmin-4.3.13.3
=dev-db/phpmyadmin-4.4.14.1
Comment 2 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-19 05:02:59 UTC
Stable for HPPA PPC64.
Comment 3 Tobias Klausmann (RETIRED) gentoo-dev 2015-09-19 15:42:08 UTC
Both stable for alpha.
Comment 4 Agostino Sarubbo gentoo-dev 2015-09-23 10:03:03 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-09-23 10:04:15 UTC
x86 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-10-10 15:57:35 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-04 14:38:21 UTC
ppc stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:03:48 UTC
Vote: NO.
Comment 9 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-11-09 22:23:18 UTC
GLSA Vote: No
Comment 10 Jorge Manuel B. S. Vicetto (RETIRED) gentoo-dev 2015-11-10 18:45:24 UTC
The affected versions were dropped[1].

 [1] - https://gitweb.gentoo.org/repo/gentoo.git/tree/dev-db/phpmyadmin/
Comment 11 Yury German Gentoo Infrastructure gentoo-dev 2015-11-28 21:27:45 UTC
Thank you all. Closing as noglsa.