openSUSE-SU-2016:3007-1: moderate: Security update for phpMyAdmin - openSUSE Updates

5 Dec 2016


      openSUSE Security Update: Security update for phpMyAdmin
______________________________________________________________________________
Announcement ID:    openSUSE-SU-2016:3007-1
Rating:             moderate
References:         #1012271 
Affected Products:
                    openSUSE Leap 42.2
                    openSUSE Leap 42.1
                    openSUSE 13.2
______________________________________________________________________________
An update that contains security fixes can now be installed.
Description:
This update to phpMyAdmin 4.4.15.9 fixes security issues and bugs.
The following security issues were fixed:
- Unsafe generation of $cfg['blowfish_secret'] (PMASA-2016-58)
   - phpMyAdmin's phpinfo functionality is removed (PMASA-2016-59)
   - AllowRoot and allow/deny rule bypass with specially-crafted username
     (PMASA-2016-60)
   - Username matching weaknesses with allow/deny rules (PMASA-2016-61)
   - Possible to bypass logout timeout (PMASA-2016-62)
   - Full path disclosure (FPD) weaknesses (PMASA-2016-63)
   - Multiple XSS weaknesses (PMASA-2016-64)
   - Multiple denial-of-service (DOS) vulnerabilities (PMASA-2016-65)
   - Possible to bypass white-list protection for URL redirection
     (PMASA-2016-66)
   - BBCode injection to login page (PMASA-2016-67)
   - Denial-of-service (DOS) vulnerability in table partitioning
     (PMASA-2016-68)
   - Multiple SQL injection vulnerabilities (PMASA-2016-69 )
   - Incorrect serialized string parsing (PMASA-2016-70)
   - CSRF token not stripped from the URL (PMASA-2016-71)
The following bugfix changes are included:
- Fix for expanding in navigation pane
   - Reintroduced a simplified version of PmaAbsoluteUri directive (needed
     with reverse proxies)
   - Fix editing of ENUM/SET/DECIMAL field structures
   - Improvements to the parser
Patch Instructions:
To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:
- openSUSE Leap 42.2:
zypper in -t patch openSUSE-2016-1406=1
- openSUSE Leap 42.1:
zypper in -t patch openSUSE-2016-1406=1
- openSUSE 13.2:
zypper in -t patch openSUSE-2016-1406=1
To bring your system up-to-date, use "zypper patch".
Package List:
- openSUSE Leap 42.2 (noarch):
phpMyAdmin-4.4.15.9-28.1
- openSUSE Leap 42.1 (noarch):
phpMyAdmin-4.4.15.9-28.1
- openSUSE 13.2 (noarch):
phpMyAdmin-4.4.15.9-42.1
References:
https://bugzilla.suse.com/1012271