Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1805 phpmyadmin security update 25 July 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: phpmyadmin Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-5739 CVE-2016-5733 CVE-2016-5731 CVE-2016-5706 CVE-2016-5705 CVE-2016-5701 CVE-2016-5099 CVE-2016-2561 CVE-2016-2560 CVE-2016-2041 CVE-2016-2040 CVE-2016-2039 CVE-2016-1927 Reference: ESB-2016.1592 ESB-2016.0531 ESB-2016.0228 Original Bulletin: http://www.debian.org/security/2016/dsa-3627 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 - - ------------------------------------------------------------------------- Debian Security Advisory DSA-3627-1 security@debian.org https://www.debian.org/security/ Thijs Kinkhorst July 24, 2016 https://www.debian.org/security/faq - - ------------------------------------------------------------------------- Package : phpmyadmin CVE ID : CVE-2016-1927 CVE-2016-2039 CVE-2016-2040 CVE-2016-2041 CVE-2016-2560 CVE-2016-2561 CVE-2016-5099 CVE-2016-5701 CVE-2016-5705 CVE-2016-5706 CVE-2016-5731 CVE-2016-5733 CVE-2016-5739 Several vulnerabilities have been fixed in phpMyAdmin, the web-based MySQL administration interface. CVE-2016-1927 The suggestPassword function relied on a non-secure random number generator which makes it easier for remote attackers to guess generated passwords via a brute-force approach. CVE-2016-2039 CSRF token values were generated by a non-secure random number genrator, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2040 Multiple cross-site scripting (XSS) vulnerabilities allow remote authenticated users to inject arbitrary web script or HTML. CVE-2016-2041 phpMyAdmin does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2560 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-2561 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5099 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5701 For installations running on plain HTTP, phpMyAdmin allows remote attackers to conduct BBCode injection attacks against HTTP sessions via a crafted URI. CVE-2016-5705 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5706 phpMyAdmin allows remote attackers to cause a denial of service (resource consumption) via a large array in the scripts parameter. CVE-2016-5731 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML. CVE-2016-5733 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML. CVE-2016-5739 A specially crafted Transformation could leak information which a remote attacker could use to perform cross site request forgeries. For the stable distribution (jessie), these problems have been fixed in version 4:4.2.12-2+deb8u2. For the unstable distribution (sid), these problems have been fixed in version 4:4.6.3-1. We recommend that you upgrade your phpmyadmin packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJXlOV9AAoJEFb2GnlAHawEeSIIAJ0l/EAEpsY6FXj/kcVfPhUF xFD28T/wbya+LfO2cNIgVkDI3ddAV89ZeiU2uwk7Umk1YwhRwOgUhrmR0u9N4SRd Dh7Q7QitCBjzGoCTgZxcd4n2eaCSq65jjKdQ0ag2bdWUGlL6Wg1vKudzGdiVOES7 yUJrzstuglDgOHS+BmYwslY3UMcYpVmieqvxMGk1f0dVgGUu8pSjzQo78+oSWLdr DxOENu8gUsDUsknMX+taYHE2sqJNB/jNA/tFLBt5UDyS9Snzeovc3KI+OYGsYPyv l4ujtMgAmZkq8OOEuig99tuB4jdsZ+LxoehS59oH31zI/uUeen0w0jKURTfEMxo= =XDB8 - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBV5Vjj4x+lLeg9Ub1AQhTpg/9HhLcfz/E65fmbaD6JqMtWFytTCsEVxhS 1HApO7FMlDj4ZbLE9C5Ttex+9UsmvkPcNiTYzyaHWT/evTbhpdmFAC6MuX/QCyS8 sGL+DrUIoVnXVgS9rGzKqdnoE0ua4GDSUPidvPHK5B3T+m8UA2eDFBTN+hHPoEgJ wyIGb92cRF1br8RpuXkGheogO3Tx9GTU4BIYQbaOUXev0Ku0wF9CugF2VzTbw0p1 Ynl9DWoFFCTJTOG7uPPQuLKgT7n+ZdVhWXlEpz44FVsT6sx4jWqYgEGY/OepOfIR hgZWFrtu211J0J4lAAYFsNCkaBhH3QpzB2LNNN2jZ8bLipOPduJeFf814Ne990Mx zsmOFOOkVub8hj+JbjQlhWYAw6kEq6m+xdoyoNA3maBOIVG78WRw9G3Q2RirBQ5e SKSWPedBWyuXfjFabdMojHXMdiV9hjcPTy5/OJA2k8FnHU7IPInCaeNn5u3UnOG6 tl5QOHbPSKfnT8vPLgVKjUWAbbq3+tp23un8Ye1GXgoCQDTCf/rXGQxcm7oCDgI/ xElrDvTXfGOrz4P7IEOKU1J/EB712pKRw2sfLsoziC65YeU91euM4sbi8aqfs10C mtMnVH/S2Zl+XkrqcxjCQk0lwF291iixvANEO8BYI7WjTTyLeFWMfc7UVe8vAiim 6Ij70NGCcvc= =JrS3 -----END PGP SIGNATURE-----