Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 576136 (CVE-2016-1927, CVE-2016-2559, CVE-2016-2560, CVE-2016-2561, CVE-2016-2562) - <dev-db/phpmyadmin{4.0.10.15,4.4.15.5,4.5.5.1}: multiple vulnerabilities (CVE-2016-{1927,2559,2560,2561,2562})
Summary: <dev-db/phpmyadmin{4.0.10.15,4.4.15.5,4.5.5.1}: multiple vulnerabilities (CVE...
Status: RESOLVED FIXED
Alias: CVE-2016-1927, CVE-2016-2559, CVE-2016-2560, CVE-2016-2561, CVE-2016-2562
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B3 [cve noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-01 17:35 UTC by Agostino Sarubbo
Modified: 2016-07-16 08:06 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-03-19 14:48:50 UTC
14:36 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Security bmp to versions 4.0.10.15, 4.4.15.5 and 4.5.5.1 (PMASA-2016-10, PMASA-2016-11, PMASA-2016-12 and PMASA-2016-13) - bug 576136.
14:36 < willikins> gentoovcs: https://bugs.gentoo.org/576136 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security

@arch teams:

Can you please add stable keywords for
=dev-db/phpmyadmin-4.0.10.15
=dev-db/phpmyadmin-4.4.15.5

Desired keywords:
KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"

=dev-db/phpmyadmin-4.5.5.1

Desired keywords:
KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-03-19 14:52:01 UTC
14:50 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Drop vulnerable versions - bug 576136.
Comment 3 Agostino Sarubbo gentoo-dev 2016-03-24 08:05:13 UTC
Stable for amd64/ppc/ppc64/sparc/x86
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-26 09:06:28 UTC
Stable for HPPA.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-05-20 11:57:44 UTC
Stable on alpha.
Comment 6 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2016-05-24 03:17:22 UTC
03:16 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin: Drop vulnerable version - bug 576136.
03:16 < willikins> gentoovcs: https://bugs.gentoo.org/576136 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security

All affected versions were dropped from the tree.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2016-07-16 07:54:34 UTC
CVE-2016-2562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2562):
  The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x
  before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL
  servers, which allows man-in-the-middle attackers to spoof these servers and
  obtain sensitive information via a crafted certificate.

CVE-2016-2561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2561):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x
  before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to
  inject arbitrary web script or HTML via (1) normalization.php or (2)
  js/normalization.js in the database normalization page, (3)
  templates/database/structure/sortable_header.phtml in the database structure
  page, or (4) the pos parameter to db_central_columns.php in the central
  columns page.

CVE-2016-2560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2560):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
  before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow
  remote attackers to inject arbitrary web script or HTML via (1) a crafted
  Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON
  data, related to file_echo.php; (3) a crafted SQL query, related to
  js/functions.js; (4) the initial parameter to
  libraries/server_privileges.lib.php in the user accounts page; or (5) the it
  parameter to libraries/controllers/TableSearchController.class.php in the
  zoom search page.

CVE-2016-2559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2559):
  Cross-site scripting (XSS) vulnerability in the format function in
  libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin
  4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary
  web script or HTML via a crafted query.

CVE-2016-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1927):
  The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before
  4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the
  Math.random JavaScript function, which makes it easier for remote attackers
  to guess passwords via a brute-force approach.
Comment 8 Aaron Bauman (RETIRED) gentoo-dev 2016-07-16 07:59:07 UTC
GLSA Vote: No