https://www.phpmyadmin.net/security/PMASA-2016-10/ https://www.phpmyadmin.net/security/PMASA-2016-11/ https://www.phpmyadmin.net/security/PMASA-2016-12/ https://www.phpmyadmin.net/security/PMASA-2016-13/
14:36 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Security bmp to versions 4.0.10.15, 4.4.15.5 and 4.5.5.1 (PMASA-2016-10, PMASA-2016-11, PMASA-2016-12 and PMASA-2016-13) - bug 576136. 14:36 < willikins> gentoovcs: https://bugs.gentoo.org/576136 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security @arch teams: Can you please add stable keywords for =dev-db/phpmyadmin-4.0.10.15 =dev-db/phpmyadmin-4.4.15.5 Desired keywords: KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos" =dev-db/phpmyadmin-4.5.5.1 Desired keywords: KEYWORDS="alpha amd64 ~arm hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos"
14:50 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) Drop vulnerable versions - bug 576136.
Stable for amd64/ppc/ppc64/sparc/x86
Stable for HPPA.
Stable on alpha.
03:16 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin: Drop vulnerable version - bug 576136. 03:16 < willikins> gentoovcs: https://bugs.gentoo.org/576136 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; ago:security All affected versions were dropped from the tree.
CVE-2016-2562 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2562): The checkHTTP function in libraries/Config.class.php in phpMyAdmin 4.5.x before 4.5.5.1 does not verify X.509 certificates from api.github.com SSL servers, which allows man-in-the-middle attackers to spoof these servers and obtain sensitive information via a crafted certificate. CVE-2016-2561 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2561): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.4.x before 4.4.15.5 and 4.5.x before 4.5.5.1 allow remote authenticated users to inject arbitrary web script or HTML via (1) normalization.php or (2) js/normalization.js in the database normalization page, (3) templates/database/structure/sortable_header.phtml in the database structure page, or (4) the pos parameter to db_central_columns.php in the central columns page. CVE-2016-2560 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2560): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.15, 4.4.x before 4.4.15.5, and 4.5.x before 4.5.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) a crafted Host HTTP header, related to libraries/Config.class.php; (2) crafted JSON data, related to file_echo.php; (3) a crafted SQL query, related to js/functions.js; (4) the initial parameter to libraries/server_privileges.lib.php in the user accounts page; or (5) the it parameter to libraries/controllers/TableSearchController.class.php in the zoom search page. CVE-2016-2559 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2559): Cross-site scripting (XSS) vulnerability in the format function in libraries/sql-parser/src/Utils/Error.php in the SQL parser in phpMyAdmin 4.5.x before 4.5.5.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted query. CVE-2016-1927 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1927): The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach.
GLSA Vote: No