openSUSE Security Update: Security update for phpMyAdmin ______________________________________________________________________________
Announcement ID: openSUSE-SU-2016:3007-1 Rating: moderate References: #1012271 Affected Products: openSUSE Leap 42.2 openSUSE Leap 42.1 openSUSE 13.2 ______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update to phpMyAdmin 4.4.15.9 fixes security issues and bugs.
The following security issues were fixed:
- Unsafe generation of $cfg['blowfish_secret'] (PMASA-2016-58) - phpMyAdmin's phpinfo functionality is removed (PMASA-2016-59) - AllowRoot and allow/deny rule bypass with specially-crafted username (PMASA-2016-60) - Username matching weaknesses with allow/deny rules (PMASA-2016-61) - Possible to bypass logout timeout (PMASA-2016-62) - Full path disclosure (FPD) weaknesses (PMASA-2016-63) - Multiple XSS weaknesses (PMASA-2016-64) - Multiple denial-of-service (DOS) vulnerabilities (PMASA-2016-65) - Possible to bypass white-list protection for URL redirection (PMASA-2016-66) - BBCode injection to login page (PMASA-2016-67) - Denial-of-service (DOS) vulnerability in table partitioning (PMASA-2016-68) - Multiple SQL injection vulnerabilities (PMASA-2016-69 ) - Incorrect serialized string parsing (PMASA-2016-70) - CSRF token not stripped from the URL (PMASA-2016-71)
The following bugfix changes are included:
- Fix for expanding in navigation pane - Reintroduced a simplified version of PmaAbsoluteUri directive (needed with reverse proxies) - Fix editing of ENUM/SET/DECIMAL field structures - Improvements to the parser
Patch Instructions:
To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product:
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2016-1406=1
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-1406=1
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-1406=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.2 (noarch):
phpMyAdmin-4.4.15.9-28.1
- openSUSE Leap 42.1 (noarch):
phpMyAdmin-4.4.15.9-28.1
- openSUSE 13.2 (noarch):
phpMyAdmin-4.4.15.9-42.1
References: