Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2016.1805
phpmyadmin security update
25 July 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: phpmyadmin
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Denial of Service -- Remote/Unauthenticated
Cross-site Request Forgery -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-5739 CVE-2016-5733 CVE-2016-5731
CVE-2016-5706 CVE-2016-5705 CVE-2016-5701
CVE-2016-5099 CVE-2016-2561 CVE-2016-2560
CVE-2016-2041 CVE-2016-2040 CVE-2016-2039
CVE-2016-1927
Reference: ESB-2016.1592
ESB-2016.0531
ESB-2016.0228
Original Bulletin:
http://www.debian.org/security/2016/dsa-3627
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3627-1 security@debian.org
https://www.debian.org/security/ Thijs Kinkhorst
July 24, 2016 https://www.debian.org/security/faq
- - -------------------------------------------------------------------------
Package : phpmyadmin
CVE ID : CVE-2016-1927 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041
CVE-2016-2560 CVE-2016-2561 CVE-2016-5099 CVE-2016-5701
CVE-2016-5705 CVE-2016-5706 CVE-2016-5731 CVE-2016-5733
CVE-2016-5739
Several vulnerabilities have been fixed in phpMyAdmin, the web-based
MySQL administration interface.
CVE-2016-1927
The suggestPassword function relied on a non-secure random number
generator which makes it easier for remote attackers to guess
generated passwords via a brute-force approach.
CVE-2016-2039
CSRF token values were generated by a non-secure random number
genrator, which allows remote attackers to bypass intended access
restrictions by predicting a value.
CVE-2016-2040
Multiple cross-site scripting (XSS) vulnerabilities allow remote
authenticated users to inject arbitrary web script or HTML.
CVE-2016-2041
phpMyAdmin does not use a constant-time algorithm for comparing
CSRF tokens, which makes it easier for remote attackers to bypass
intended access restrictions by measuring time differences.
CVE-2016-2560
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-2561
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-5099
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-5701
For installations running on plain HTTP, phpMyAdmin allows remote
attackers to conduct BBCode injection attacks against HTTP sessions
via a crafted URI.
CVE-2016-5705
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-5706
phpMyAdmin allows remote attackers to cause a denial of service
(resource consumption) via a large array in the scripts parameter.
CVE-2016-5731
A cross-site scripting (XSS) vulnerability allows remote
attackers to inject arbitrary web script or HTML.
CVE-2016-5733
Multiple cross-site scripting (XSS) vulnerabilities allow remote
attackers to inject arbitrary web script or HTML.
CVE-2016-5739
A specially crafted Transformation could leak information which
a remote attacker could use to perform cross site request forgeries.
For the stable distribution (jessie), these problems have been fixed in
version 4:4.2.12-2+deb8u2.
For the unstable distribution (sid), these problems have been fixed in
version 4:4.6.3-1.
We recommend that you upgrade your phpmyadmin packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAEBCAAGBQJXlOV9AAoJEFb2GnlAHawEeSIIAJ0l/EAEpsY6FXj/kcVfPhUF
xFD28T/wbya+LfO2cNIgVkDI3ddAV89ZeiU2uwk7Umk1YwhRwOgUhrmR0u9N4SRd
Dh7Q7QitCBjzGoCTgZxcd4n2eaCSq65jjKdQ0ag2bdWUGlL6Wg1vKudzGdiVOES7
yUJrzstuglDgOHS+BmYwslY3UMcYpVmieqvxMGk1f0dVgGUu8pSjzQo78+oSWLdr
DxOENu8gUsDUsknMX+taYHE2sqJNB/jNA/tFLBt5UDyS9Snzeovc3KI+OYGsYPyv
l4ujtMgAmZkq8OOEuig99tuB4jdsZ+LxoehS59oH31zI/uUeen0w0jKURTfEMxo=
=XDB8
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBV5Vjj4x+lLeg9Ub1AQhTpg/9HhLcfz/E65fmbaD6JqMtWFytTCsEVxhS
1HApO7FMlDj4ZbLE9C5Ttex+9UsmvkPcNiTYzyaHWT/evTbhpdmFAC6MuX/QCyS8
sGL+DrUIoVnXVgS9rGzKqdnoE0ua4GDSUPidvPHK5B3T+m8UA2eDFBTN+hHPoEgJ
wyIGb92cRF1br8RpuXkGheogO3Tx9GTU4BIYQbaOUXev0Ku0wF9CugF2VzTbw0p1
Ynl9DWoFFCTJTOG7uPPQuLKgT7n+ZdVhWXlEpz44FVsT6sx4jWqYgEGY/OepOfIR
hgZWFrtu211J0J4lAAYFsNCkaBhH3QpzB2LNNN2jZ8bLipOPduJeFf814Ne990Mx
zsmOFOOkVub8hj+JbjQlhWYAw6kEq6m+xdoyoNA3maBOIVG78WRw9G3Q2RirBQ5e
SKSWPedBWyuXfjFabdMojHXMdiV9hjcPTy5/OJA2k8FnHU7IPInCaeNn5u3UnOG6
tl5QOHbPSKfnT8vPLgVKjUWAbbq3+tp23un8Ye1GXgoCQDTCf/rXGQxcm7oCDgI/
xElrDvTXfGOrz4P7IEOKU1J/EB712pKRw2sfLsoziC65YeU91euM4sbi8aqfs10C
mtMnVH/S2Zl+XkrqcxjCQk0lwF291iixvANEO8BYI7WjTTyLeFWMfc7UVe8vAiim
6Ij70NGCcvc=
=JrS3
-----END PGP SIGNATURE-----