http://bugzilla.novell.com/show_bug.cgi?id=906486 Bug ID: 906486 Summary: VUL-0: CVE-2014-8959: phpMyAdmin: Local file inclusion vulnerability. Classification: openSUSE Product: openSUSE Distribution Version: 13.2 Hardware: All URL: http://www.phpmyadmin.net/home_page/security/PMASA-201 4-14.php OS: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: Andreas.Stieger@gmx.de QA Contact: qa-bugs@suse.de CC: chris@computersalat.de, ecsos@schirra.net, security-team@suse.de Found By: --- Blocker: --- http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php Announcement-ID: PMASA-2014-14 Date: 2014-11-20 Summary: Local file inclusion vulnerability. In the GIS editor feature, a parameter specifying the geometry type was not correcly validated, opening the door to a local file inclusion attack. Severity We consider this vulnerability to be serious. Mitigation factor This vulnerability can be triggered only by someone who is logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required page. Affected Versions Versions 4.0.x (prior to 4.0.10.6), 4.1.x (prior to 4.1.14.7) and 4.2.x (prior to 4.2.12) are affected. Solution Upgrade to phpMyAdmin 4.0.10.6 or newer, or 4.1.14.7 or newer, or 4.2.12 or newer, or apply the patch listed below. References Thanks to Johannes Dahse (https://twitter.com/FluxReiners) for reporting this vulnerability. Assigned CVE ids: CVE-2014-8959 CWE ids: CWE-661 CWE-98 Patches The following commits have been made to fix this issue: 80cd40b6687a6717860d345d6eb55bef2908e961 The following commits have been made on the 4.1 branch to fix this issue: 59557b51362edc5eee024f3f2912a9d598e42763 The following commits have been made on the 4.0 branch to fix this issue: 2e3f0b9457b3c8f78beb864120bd9d55617a11b5 -- You are receiving this mail because: You are on the CC list for the bug.