Hi Thijs and LTS team I have prepared a security update of phpmyadmin for wheezy.
The prepared packages are available here: http://apt.inguza.net/wheezy-security/phpmyadmin For more information see here: https://security-tracker.debian.org/tracker/source-package/phpmyadmin The debdiff is available in the same place: http://apt.inguza.net/wheezy-security/phpmyadmin/phpmyadmin.debdiff I have corrected the following problems by backporting the patches given by upstream (you can find the upstream reference in the patch file in the debdiff above): CVE-2016-5731 With a specially crafted request, it is possible to trigger an XSS attack through the example OpenID authentication script. CVE-2016-5739 A vulnerability was reported where a specially crafted Transformation could be used to leak information including the authentication token. This could be used to direct a CSRF attack against a user. I have also partially corrected CVE-2016-5733. I have corrected all parts that I could find as applicable. - [vulnerable code not present] A vulnerability was reported allowing a specially crafted table name to cause an XSS attack through the functionality to check database privileges. - [patched even though this really require root privileges to use] A vulnerability was reported allowing a specifically-configured MySQL server to execute an XSS attack. This particular attack requires configuring the MySQL server log_bin directive with the payload. - [patched partially, for the rest I can not see vulnerable code] Several XSS vulnerabilities were found with the Transformation feature - [vulnerable code not present] Several XSS vulnerabilities were found in AJAX error handling - [vulnerable code not present] Several XSS vulnerabilities were found in the Designer feature - [vulnerable code not present] An XSS vulnerability was found in the charts feature - [vulnerable code not present] An XSS vulnerability was found in the zoom search feature I have also updated the security tracker based on the following findings. CVE-2016-5703 PMASA-2016-19 Vulnerable code not present. CVE-2016-5704 PMASA-2016-20 Vulnerable code not present. CVE-2016-5705 PMASA-2016-21 Vulnerable code not present. CVE-2016-5706 PMASA-2016-22 Vulnerable code not present. CVE-2016-5732 PMASA-2016-25 Vulnerable code not present. CVE-2016-5734 PMASA-2016-27 Vulnerable code present but the vulnerability is only possible to exploit using a php version that prior to the one that exists in wheezy. The same applies to jessie so I was kind enough to mark that too. I hope you do not mind. I have regression tested the package but I have not explicitly tried to exploit the vulnerabilities. Or rather I have tried some of it but I failed also with the old version so I guess it was not trivial to do. In any case the corrected package seem to work find with basic operations like viewing and updating things. If there are no objections I will upload the corrected package to wheezy-security in four days, that is on Thursday next week. Best regards // Ola -- --------------------- Ola Lundqvist --------------------------- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
