phpmyadmin security update

To: debian-lts-announce@lists.debian.org
Subject: phpmyadmin security update
From: Thijs Kinkhorst <thijs@debian.org>
Date: Wed, 9 Jul 2014 21:24:32 +0200
Message-id: <[🔎] 201407092124.33163.thijs@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : phpmyadmin
Version        : 4:3.3.7-8
CVE ID         : CVE-2013-3239 CVE-2013-4995 CVE-2013-4996 CVE-2013-5003

Several vulnerabilities have been discovered in phpMyAdmin, a tool to
administer MySQL over the web. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2013-3239

    Authenticated users could execute arbitrary code, when a SaveDir
    directory is configured and Apache HTTP Server has the mod_mime
    module enabled, by employing double filename extensions.

CVE-2013-4995

    Authenticatd users could inject arbitrary web script or HTML
    via a crafted SQL query.

CVE-2013-4996

    Cross site scripting was possible via a crafted logo URL in
    the navigation panel or a crafted entry in the Trusted Proxy list.

CVE-2013-5003

    Authenticated users could execute arbitrary SQL commands as
    the phpMyAdmin 'control user' via the scale parameter of PMD PDF
    export.

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: tiff security update
Next by Date: linux-2.6 update
Previous by thread: tiff security update
Next by thread: linux-2.6 update
Index(es):
- Date
- Thread