First Last Prev Next    This bug is not in your last search results.
Bug 964024 - VUL-0: phpMyAdmin: Multiple vulnerabilities
VUL-0: phpMyAdmin: Multiple vulnerabilities
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 42.1
: P5 - None : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-2043:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-28 16:31 UTC by Johannes Segitz
Modified: 2016-02-08 13:12 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2016-01-28 16:31:18 UTC 
https://www.phpmyadmin.net/security/PMASA-2016-1/
CVE-2016-2038, Multiple full path disclosure vulnerabilities.

https://www.phpmyadmin.net/security/PMASA-2016-2/
CVE-2016-2039, Unsafe generation of XSRF/CSRF token.

https://www.phpmyadmin.net/security/PMASA-2016-3/
CVE-2016-2040, Multiple XSS vulnerabilities.

https://www.phpmyadmin.net/security/PMASA-2016-4/
CVE-2016-1927, Insecure password generation in JavaScript.

https://www.phpmyadmin.net/security/PMASA-2016-5/
CVE-2016-2041, Unsafe comparison of XSRF/CSRF token.

https://www.phpmyadmin.net/security/PMASA-2016-6/
CVE-2016-2042, Multiple full path disclosure vulnerabilities.

https://www.phpmyadmin.net/security/PMASA-2016-7/
CVE-2016-2043, XSS vulnerability in normalization page.

https://www.phpmyadmin.net/security/PMASA-2016-8/
CVE-2016-2044, Full path disclosure vulnerability in SQL parser.

https://www.phpmyadmin.net/security/PMASA-2016-9/
CVE-2016-2045, XSS vulnerability in SQL editor.
Comment 1 Andreas Stieger 2016-01-28 16:43:52 UTC 
(In reply to Johannes Segitz from comment #0)
> https://www.phpmyadmin.net/security/PMASA-2016-5/
> CVE-2016-2041, Unsafe comparison of XSRF/CSRF token.


"We consider this vulnerability to be serious."
Comment 2 Johannes Segitz 2016-01-28 16:48:12 UTC 
(In reply to Andreas Stieger from comment #1)
I read that and considered increasing the severity, but it is a timing attack against XSRF/CSRF tokens. I don't think this justifies the increase.
Comment 3 Andreas Stieger 2016-01-28 18:34:37 UTC 
All submitted.
Comment 4 Bernhard Wiedemann 2016-01-28 19:00:16 UTC 
This is an autogenerated message for OBS integration:
This bug (964024) was mentioned in
https://build.opensuse.org/request/show/356588 42.1+13.2 / phpMyAdmin
https://build.opensuse.org/request/show/356589 13.1 / phpMyAdmin
Comment 5 Andreas Stieger 2016-02-07 14:20:12 UTC 
release
Comment 6 Swamp Workflow Management 2016-02-07 18:11:17 UTC 
openSUSE-SU-2016:0357-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964024
CVE References: CVE-2016-1927,CVE-2016-2038,CVE-2016-2039,CVE-2016-2040,CVE-2016-2041,CVE-2016-2042,CVE-2016-2043
Sources used:
openSUSE Leap 42.1 (src):    phpMyAdmin-4.4.15.4-13.1
openSUSE 13.2 (src):    phpMyAdmin-4.4.15.4-27.1
Comment 7 Swamp Workflow Management 2016-02-08 13:12:32 UTC 
openSUSE-SU-2016:0378-1: An update that fixes 7 vulnerabilities is now available.

Category: security (moderate)
Bug References: 964024
CVE References: CVE-2016-1927,CVE-2016-2038,CVE-2016-2039,CVE-2016-2040,CVE-2016-2041,CVE-2016-2042,CVE-2016-2043
Sources used:
openSUSE 13.1 (src):    phpMyAdmin-4.4.15.4-46.1
First Last Prev Next    This bug is not in your last search results.