openSUSE Security Update: Security update for phpMyAdmin ______________________________________________________________________________ Announcement ID: openSUSE-SU-2016:3007-1 Rating: moderate References: #1012271 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 openSUSE 13.2 ______________________________________________________________________________ An update that contains security fixes can now be installed. Description: This update to phpMyAdmin 4.4.15.9 fixes security issues and bugs. The following security issues were fixed: - Unsafe generation of $cfg['blowfish_secret'] (PMASA-2016-58) - phpMyAdmin's phpinfo functionality is removed (PMASA-2016-59) - AllowRoot and allow/deny rule bypass with specially-crafted username (PMASA-2016-60) - Username matching weaknesses with allow/deny rules (PMASA-2016-61) - Possible to bypass logout timeout (PMASA-2016-62) - Full path disclosure (FPD) weaknesses (PMASA-2016-63) - Multiple XSS weaknesses (PMASA-2016-64) - Multiple denial-of-service (DOS) vulnerabilities (PMASA-2016-65) - Possible to bypass white-list protection for URL redirection (PMASA-2016-66) - BBCode injection to login page (PMASA-2016-67) - Denial-of-service (DOS) vulnerability in table partitioning (PMASA-2016-68) - Multiple SQL injection vulnerabilities (PMASA-2016-69 ) - Incorrect serialized string parsing (PMASA-2016-70) - CSRF token not stripped from the URL (PMASA-2016-71) The following bugfix changes are included: - Fix for expanding in navigation pane - Reintroduced a simplified version of PmaAbsoluteUri directive (needed with reverse proxies) - Fix editing of ENUM/SET/DECIMAL field structures - Improvements to the parser Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE Leap 42.2: zypper in -t patch openSUSE-2016-1406=1 - openSUSE Leap 42.1: zypper in -t patch openSUSE-2016-1406=1 - openSUSE 13.2: zypper in -t patch openSUSE-2016-1406=1 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE Leap 42.2 (noarch): phpMyAdmin-4.4.15.9-28.1 - openSUSE Leap 42.1 (noarch): phpMyAdmin-4.4.15.9-28.1 - openSUSE 13.2 (noarch): phpMyAdmin-4.4.15.9-42.1 References: https://bugzilla.suse.com/1012271