Mailinglist Archive: opensuse-updates (127 mails)

< Previous Next >
openSUSE-SU-2016:2176-1: moderate: phpMyAdmin
openSUSE Security Update: phpMyAdmin

Announcement ID: openSUSE-SU-2016:2176-1
Rating: moderate
References: #994313
Cross-References: CVE-2016-6606 CVE-2016-6607 CVE-2016-6608
CVE-2016-6609 CVE-2016-6610 CVE-2016-6611
CVE-2016-6612 CVE-2016-6613 CVE-2016-6614
CVE-2016-6615 CVE-2016-6616 CVE-2016-6617
CVE-2016-6618 CVE-2016-6619 CVE-2016-6620
CVE-2016-6621 CVE-2016-6622 CVE-2016-6623
CVE-2016-6624 CVE-2016-6625 CVE-2016-6626
CVE-2016-6627 CVE-2016-6628 CVE-2016-6629
CVE-2016-6630 CVE-2016-6631 CVE-2016-6632
Affected Products:
openSUSE 13.1

An update that fixes 28 vulnerabilities is now available.


This phpMyAdmin update to version fixes the following issues:

Security issues fixed:
* Improve session cookie code for openid.php and signon.php example files
* Full path disclosure in openid.php and signon.php example files
* Unsafe generation of BlowfishSecret (when not supplied by the user)
* Referrer leak when phpinfo is enabled
* Use HTTPS for wiki links
* Improve SSL certificate handling
* Fix full path disclosure in debugging code
* Administrators could trigger SQL injection attack against users

* Weaknesses with cookie encryption see PMASA-2016-29 (CVE-2016-6606,
* Multiple XSS vulnerabilities see PMASA-2016-30 (CVE-2016-6607, CWE-661)
* Multiple XSS vulnerabilities see PMASA-2016-31 (CVE-2016-6608, CWE-661)
* PHP code injection see PMASA-2016-32 (CVE-2016-6609, CWE-661)
* Full path disclosure see PMASA-2016-33 (CVE-2016-6610, CWE-661)
* SQL injection attack see PMASA-2016-34 (CVE-2016-6611, CWE-661)
* Local file exposure through LOAD DATA LOCAL INFILE see PMASA-2016-35
(CVE-2016-6612, CWE-661)
* Local file exposure through symlinks with UploadDir see PMASA-2016-36
(CVE-2016-6613, CWE-661)
* Path traversal with SaveDir and UploadDir see PMASA-2016-37
(CVE-2016-6614, CWE-661)
* Multiple XSS vulnerabilities see PMASA-2016-38 (CVE-2016-6615, CWE-661)
* SQL injection vulnerability as control user see PMASA-2016-39
(CVE-2016-6616, CWE-661)
* SQL injection vulnerability see PMASA-2016-40 (CVE-2016-6617, CWE-661)
* Denial-of-service attack through transformation feature see
PMASA-2016-41 (CVE-2016-6618, CWE-661)
* SQL injection vulnerability as control user see PMASA-2016-42
(CVE-2016-6619, CWE-661)
* Verify data before unserializing see PMASA-2016-43 (CVE-2016-6620,
* SSRF in setup script see PMASA-2016-44 (CVE-2016-6621, CWE-661)
* Denial-of-service attack with $cfg['AllowArbitraryServer'] = true and
persistent connections see PMASA-2016-45 (CVE-2016-6622, CWE-661)
* Denial-of-service attack by using for loops see PMASA-2016-46
(CVE-2016-6623, CWE-661)
* Possible circumvention of IP-based allow/deny rules with IPv6 and proxy
server see PMASA-2016-47 (CVE-2016-6624, CWE-661)
* Detect if user is logged in see PMASA-2016-48 (CVE-2016-6625, CWE-661)
* Bypass URL redirection protection see PMASA-2016-49 (CVE-2016-6626,
* Referrer leak see PMASA-2016-50 (CVE-2016-6627, CWE-661)
* Reflected File Download see PMASA-2016-51 (CVE-2016-6628, CWE-661)
* ArbitraryServerRegexp bypass see PMASA-2016-52 (CVE-2016-6629, CWE-661)
* Denial-of-service attack by entering long password see PMASA-2016-53
(CVE-2016-6630, CWE-661)
* Remote code execution vulnerability when running as CGI see
PMASA-2016-54 (CVE-2016-6631, CWE-661)
* Denial-of-service attack when PHP uses dbase extension see PMASA-2016-55
(CVE-2016-6632, CWE-661)
* Remove tode execution vulnerability when PHP uses dbase extension see
PMASA-2016-56 (CVE-2016-6633, CWE-661)

Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 13.1:

zypper in -t patch 2016-1027=1

To bring your system up-to-date, use "zypper patch".

Package List:

- openSUSE 13.1 (noarch):



< Previous Next >
This Thread
  • No further messages