phpmyadmin: multiple issues (CVE-2014-8958, CVE-2014-8959, CVE-2014-8960, CVE-2014-8961)
CVE-2014-8958:
Announcement-ID: PMASA-2014-13
Date: 2014-11-20
Summary: Multiple XSS vulnerabilities.
Affected Versions: versions 4.0.x (prior to 4.0.10.6), 4.1.x (prior to 4.1.14.7) and 4.2.x (prior to 4.2.12) are affected.
Solution: upgrade to phpMyAdmin 4.0.10.6 or newer, or 4.1.14.7 or newer, or 4.2.12 or newer, or apply the patch listed below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-13.php
Patches:
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/d32da348c4de2379482a48661ce968a55eebe5c4
https://github.com/phpmyadmin/phpmyadmin/commit/1bc04ec95038f2356ad33752090001bf1c047208
https://github.com/phpmyadmin/phpmyadmin/commit/2a3b7393d1d5a8ba0543699df94a08a0f5728fe0
https://github.com/phpmyadmin/phpmyadmin/commit/2ffdbf2d7daa0b92541d8b754e2afac555d3ed21
The following commits have been made on the 4.0 branch to fix this
issue:
https://github.com/phpmyadmin/phpmyadmin/commit/c5783321cd387d0b65b32cf399766f08a9acad68
https://github.com/phpmyadmin/phpmyadmin/commit/42b64e12b5f596366f94ef72365fd69a019ba820
https://github.com/phpmyadmin/phpmyadmin/commit/58cdd91fc83703a1ab645764fb3708e8e0b7c4a2
https://github.com/phpmyadmin/phpmyadmin/commit/c7685e5acd3f8e722f4f374c6fa821590865b68d
CVE-2014-8959:
Announcement-ID: PMASA-2014-14
Date: 2014-11-20
Summary: Local file inclusion vulnerability.
Description: In the GIS editor feature, a parameter specifying the geometry type was not correcly validated, opening the door to a local file inclusion attack.
Severity: We consider this vulnerability to be serious.
Affected Versions: versions 4.0.x (prior to 4.0.10.6), 4.1.x (prior to 4.1.14.7) and 4.2.x (prior to 4.2.12) are affected.
Solution: upgrade to phpMyAdmin 4.0.10.6 or newer, or 4.1.14.7 or newer, or 4.2.12 or newer, or apply the patch listed below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-14.php
Patches:
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/80cd40b6687a6717860d345d6eb55bef2908e961
The following commits have been made on the 4.0 branch to fix this
issue:
https://github.com/phpmyadmin/phpmyadmin/commit/2e3f0b9457b3c8f78beb864120bd9d55617a11b5
CVE-2014-8960:
Announcement-ID: PMASA-2014-15
Date: 2014-11-20
Summary: XSS vulnerability in error reporting functionality.
Description: With a crafted file name it is possible to trigger an XSS in the error reporting page.
Affected Versions: versions 4.1.x (prior to 4.1.14.7) and 4.2.x (prior to 4.2.12) are affected.
Solution: upgrade to 4.1.14.7 or newer, or 4.2.12 or newer, or apply the patch listed below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-15.php
Patches:
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/9364e2eee5681681caf7205c0933bc18af11e233
CVE-2014-8961:
Announcement-ID: PMASA-2014-16
Date: 2014-11-20
Summary: Leakage of line count of an arbitrary file.
Affected Versions: versions 4.1.x (prior to 4.1.14.7) and 4.2.x (prior to 4.2.12) are affected.
Solution: upgrade to phpMyAdmin 4.1.14.7 or newer, or 4.2.12 or newer, or apply the patch listed below.
References:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-16.php
Patches:
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/b99b6b6672ff2419f05b05740c80c7a23c1da994
(from redmine: issue id 3530, created on 2014-11-21, closed on 2014-12-08)
- Relations:
- child #3531 (closed)
- child #3532 (closed)
- child #3533 (closed)