commit patchinfo.5525 for openSUSE:13.2:Update

Sun, 28 Aug 2016 22:56:12 -0700 

Hello community,

here is the log from the commit of package patchinfo.5525 for 
openSUSE:13.2:Update checked in at 2016-08-29 07:55:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.2:Update/patchinfo.5525 (Old)
 and      /work/SRC/openSUSE:13.2:Update/.patchinfo.5525.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "patchinfo.5525"

Changes:
--------
New Changes file:

NO CHANGES FILE!!!

New:
----
  _patchinfo

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo incident="5525">
  <issue id="994313" tracker="bnc">VUL-0: phpMyAdmin 4.0.10.17, 4.4.15.8, and 
4.6.4 releases</issue>
  <issue id="2016-6606" tracker="cve" />
  <issue id="2016-6630" tracker="cve" />
  <issue id="2016-6631" tracker="cve" />
  <issue id="2016-6618" tracker="cve" />
  <issue id="2016-6619" tracker="cve" />
  <issue id="2016-6616" tracker="cve" />
  <issue id="2016-6617" tracker="cve" />
  <issue id="2016-6614" tracker="cve" />
  <issue id="2016-6615" tracker="cve" />
  <issue id="2016-6612" tracker="cve" />
  <issue id="2016-6613" tracker="cve" />
  <issue id="2016-6610" tracker="cve" />
  <issue id="2016-6611" tracker="cve" />
  <issue id="2016-6626" tracker="cve" />
  <issue id="2016-6609" tracker="cve" />
  <issue id="2016-6608" tracker="cve" />
  <issue id="2016-6623" tracker="cve" />
  <issue id="2016-6622" tracker="cve" />
  <issue id="2016-6621" tracker="cve" />
  <issue id="2016-6620" tracker="cve" />
  <issue id="2016-6627" tracker="cve" />
  <issue id="2016-6632" tracker="cve" />
  <issue id="2016-6625" tracker="cve" />
  <issue id="2016-6624" tracker="cve" />
  <issue id="2016-6607" tracker="cve" />
  <issue id="2016-6633" tracker="cve" />
  <issue id="2016-6628" tracker="cve" />
  <issue id="2016-6629" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>computersalat</packager>
  <description>
phpMyAdmin was updated to version 4.4.15.8 (2016-08-16) to fix the following 
issues:

- Upstream changelog for 4.4.15.8:
  * Improve session cookie code for openid.php and signon.php example
     files
  * Full path disclosure in openid.php and signon.php example files
  * Unsafe generation of BlowfishSecret (when not supplied by the user)
  * Referrer leak when phpinfo is enabled
  * Use HTTPS for wiki links
  * Improve SSL certificate handling
  * Fix full path disclosure in debugging code
  * Administrators could trigger SQL injection attack against users
- other fixes
  * Remove Swekey support
- Security fixes:
  https://www.phpmyadmin.net/security/
  * Weaknesses with cookie encryption
     see PMASA-2016-29 (CVE-2016-6606, CWE-661)
  * Multiple XSS vulnerabilities
     see PMASA-2016-30 (CVE-2016-6607, CWE-661)
  * Multiple XSS vulnerabilities
     see PMASA-2016-31 (CVE-2016-6608, CWE-661)
  * PHP code injection
     see PMASA-2016-32 (CVE-2016-6609, CWE-661)
  * Full path disclosure
     see PMASA-2016-33 (CVE-2016-6610, CWE-661)
  * SQL injection attack
     see PMASA-2016-34 (CVE-2016-6611, CWE-661)
  * Local file exposure through LOAD DATA LOCAL INFILE
     see PMASA-2016-35 (CVE-2016-6612, CWE-661)
  * Local file exposure through symlinks with UploadDir
     see PMASA-2016-36 (CVE-2016-6613, CWE-661)
  * Path traversal with SaveDir and UploadDir
     see PMASA-2016-37 (CVE-2016-6614, CWE-661)
  * Multiple XSS vulnerabilities
     see PMASA-2016-38 (CVE-2016-6615, CWE-661)
  * SQL injection vulnerability as control user
     see PMASA-2016-39 (CVE-2016-6616, CWE-661)
  * SQL injection vulnerability
     see PMASA-2016-40 (CVE-2016-6617, CWE-661)
  * Denial-of-service attack through transformation feature
     see PMASA-2016-41 (CVE-2016-6618, CWE-661)
  * SQL injection vulnerability as control user
     see PMASA-2016-42 (CVE-2016-6619, CWE-661)
  * Verify data before unserializing
     see PMASA-2016-43 (CVE-2016-6620, CWE-661)
  * SSRF in setup script
     see PMASA-2016-44 (CVE-2016-6621, CWE-661)
  * Denial-of-service attack with
     $cfg['AllowArbitraryServer'] = true and persistent connections
     see PMASA-2016-45 (CVE-2016-6622, CWE-661)
  * Denial-of-service attack by using for loops
     see PMASA-2016-46 (CVE-2016-6623, CWE-661)
  * Possible circumvention of IP-based allow/deny rules with IPv6 and
     proxy server
     see PMASA-2016-47 (CVE-2016-6624, CWE-661)
  * Detect if user is logged in
     see PMASA-2016-48 (CVE-2016-6625, CWE-661)
  * Bypass URL redirection protection
     see PMASA-2016-49 (CVE-2016-6626, CWE-661)
  * Referrer leak
     see PMASA-2016-50 (CVE-2016-6627, CWE-661)
  * Reflected File Download
     see PMASA-2016-51 (CVE-2016-6628, CWE-661)
  * ArbitraryServerRegexp bypass
     see PMASA-2016-52 (CVE-2016-6629, CWE-661)
  * Denial-of-service attack by entering long password
     see PMASA-2016-53 (CVE-2016-6630, CWE-661)
  * Remote code execution vulnerability when running as CGI
     see PMASA-2016-54 (CVE-2016-6631, CWE-661)
  * Denial-of-service attack when PHP uses dbase extension
     see PMASA-2016-55 (CVE-2016-6632, CWE-661)
  * Remove tode execution vulnerability when PHP uses dbase extension
     see PMASA-2016-56 (CVE-2016-6633, CWE-661)
</description>
  <summary>Security update for phpMyAdmin</summary>
</patchinfo>

Reply via email to