Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66

To: debian-lts@lists.debian.org
Subject: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
From: Brian May <bam@debian.org>
Date: Wed, 14 Dec 2016 18:05:27 +1100
Message-id: <[🔎] 87d1gvng7c.fsf@prune.linuxpenguins.xyz>
In-reply-to: <[🔎] 87fulrnily.fsf@prune.linuxpenguins.xyz>
References: <[🔎] 877f7a3x26.fsf@prune.linuxpenguins.xyz> <[🔎] 874m2d4l3e.fsf@prune.linuxpenguins.xyz> <[🔎] 87fulrnily.fsf@prune.linuxpenguins.xyz>

Brian May <bam@debian.org> writes:

> From what I can tell, phpmyadmin may in wheezy may not be vulnerable to
> CVE-2016-9861 / PMASA-2016-66 because I can't find the vulnerable code.

Hmmm... Looks like the PMA_isAllowedDomain() function was created in
response to CVE-2016-4412 / PMASA-2016-57 which hasn't been fixed yet in
wheezy.

The included patch at
https://github.com/phpmyadmin/phpmyadmin/commit/6f413680b172ae0b25f2509f1c7bb21405e8eaf9
doesn't appear to include the vulnerability however.
-- 
Brian May <bam@debian.org>

Reply to:

Follow-Ups:
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>

References:
- phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / PMASA-2016-60
  - From: Brian May <bam@debian.org>
- Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
  - From: Brian May <bam@debian.org>

Prev by Date: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Next by Date: Re: Additional 9pfs issue in qemu
Previous by thread: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Next by thread: Re: phpmyadmin / CVE-2016-9861 / PMASA-2016-66
Index(es):
- Date
- Thread