openSUSE Recommended Update: Security update for phpMyAdmin ______________________________________________________________________________ Announcement ID: openSUSE-RU-2022:0032-1 Rating: low References: #1195017 Affected Products: SUSE Linux Enterprise High Performance Computing 12 SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12-SP3 SUSE Linux Enterprise Server 12-SP4 SUSE Linux Enterprise Server 12-SP5 SUSE Linux Enterprise Server for SAP Applications 12 SUSE Linux Enterprise Server for SAP Applications 12-SP3 SUSE Linux Enterprise Server for SAP Applications 12-SP4 SUSE Linux Enterprise Server for SAP Applications 12-SP5 SUSE Package Hub for SUSE Linux Enterprise 12 openSUSE Backports SLE-15-SP1 openSUSE Backports SLE-15-SP2 openSUSE Backports SLE-15-SP3 ______________________________________________________________________________ An update that fixes one vulnerability is now available. Description: phpMyAdmin was updated to fix: * CVE-2022-23807: Fixed Two factor authentication bypass (boo#1195017, PMASA-2022-1, CWE-661) * Add a new configuration directive $cfg['URLQueryEncryption'] to allow encrypting sensitive information in the URL to prevent disclosure. Thanks to Rich Grimes for suggesting this improvement * Add a new configuration directive $cfg['Servers'][$i]['hide_connection_errors'] to allow hiding the full error message when a log on attempt fails, which can leak hostnames or IP addresses of the target database server. Patch Instructions: To install this openSUSE Recommended Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Backports SLE-15-SP3: zypper in -t patch openSUSE-2022-32=1 - openSUSE Backports SLE-15-SP2: zypper in -t patch openSUSE-2022-32=1 - openSUSE Backports SLE-15-SP1: zypper in -t patch openSUSE-2022-32=1 - SUSE Package Hub for SUSE Linux Enterprise 12: zypper in -t patch openSUSE-2022-32=1 Package List: - openSUSE Backports SLE-15-SP3 (noarch): phpMyAdmin-4.9.8-bp153.2.3.1 - openSUSE Backports SLE-15-SP2 (noarch): phpMyAdmin-4.9.8-bp152.2.9.1 - openSUSE Backports SLE-15-SP1 (noarch): phpMyAdmin-4.9.8-bp151.3.27.1 - SUSE Package Hub for SUSE Linux Enterprise 12 (noarch): phpMyAdmin-4.9.8-55.1 References: https://www.suse.com/security/cve/CVE-2022-23807.html https://bugzilla.suse.com/1195017