[SECURITY] [DLA 2154-1] phpmyadmin security update

To: "debian-lt >> Debian LTS" <debian-lts@lists.debian.org>
Subject: [SECURITY] [DLA 2154-1] phpmyadmin security update
From: Utkarsh Gupta <utkarsh@debian.org>
Date: Sun, 22 Mar 2020 22:50:20 +0530
Message-id: <[🔎] 2fa4e8ec-195f-4215-5082-ace29117d3fc@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : phpmyadmin
Version        : 4:4.2.12-2+deb8u9
CVE ID         : CVE-2020-10802 CVE-2020-10803
Debian Bug     : 954665 954666


The following packages CVE(s) were reported against phpmyadmin.

CVE-2020-10802

    In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability
    has been discovered where certain parameters are not properly
    escaped when generating certain queries for search actions in
    libraries/classes/Controllers/Table/TableSearchController.php.
    An attacker can generate a crafted database or table name. The
    attack can be performed if a user attempts certain search
    operations on the malicious database or table.

CVE-2020-10803

    In phpMyAdmin 4.x before 4.9.5, a SQL injection vulnerability
    was discovered where malicious code could be used to trigger
    an XSS attack through retrieving and displaying results (in
    tbl_get_field.php and libraries/classes/Display/Results.php).
    The attacker must be able to insert crafted data into certain
    database tables, which when retrieved (for instance, through the
    Browse tab) can trigger the XSS attack.

For Debian 8 "Jessie", these problems have been fixed in version
4:4.2.12-2+deb8u9.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


Best,
Utkarsh
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl53nlAACgkQgj6WdgbD
S5YTRhAAif/0e6UmAGC0Idq2a0PHN0kjHxQSfAf0dEDuzQDD2S2z2M5zGNpx8vWd
ezLXb8JkdRugRH9o+cwZprTXfjNVDXOUai6dwO8i4CUm8hPdAckY8GeJEKg2gpyK
AwgHkk11ojsSnkgeczCXFvqGRw+FFQECzVFuXIEiJae1poaCSuNhjqSAjQir1Lj8
TMefZQ0ClE/5xhMN2SswRDFf1tRKQChIJlGI1ElhytzZAq4J0UmJx8ejrot63I8N
xdSc83qk0ncALiVew/gM3axDl6LQjU2Y5xerFZrCHfD5qToyEPnqAkwhGAB+d4MH
QK1Y5XY2GJTK7LWvdRqYUT7bOOmYSFtMdLlP6LnJpFRIOyYW4vWD5SCHugLrOlBv
ozY1YJQ/qL3s0+JmY3sJU8kgRy9LV1MJpD9nh3jbS+V9vk6cN2z8/TBkuiA0loPo
oh8Mc5T9OGcc9R+mrwMcduO5EWk9CPZ9enxN7AJj50bdiQMB1kQBIzZd1E35g+jZ
QmnxWOVSoGUUW7uB1xmLT35UluhZeer9i4eQU41ID1yQJMujldPTC3MM8ntFpdrN
8zaqq4QVZz+dm9Ci/eCaWnenRs8BWuM3cKVJLwpJTCUqss7HvTvOnp/LzmMp7gL4
QkF8Go9LODJuvy/5bWDBtD+mInTngrzu+VGbvRkAEsHsv7cAAeI=
=3V8l
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: Re: Xen update request and status
Next by Date: Re: [SECURITY] [DLA 2154-1] phpmyadmin security update
Previous by thread: Re: Fixing minor/unimportant issues via DLA on demand
Next by thread: Re: [SECURITY] [DLA 2154-1] phpmyadmin security update
Index(es):
- Date
- Thread