[3.2] phpmyadmin: Multiple vulnerabilities (Various CVEs)
CVE-2016-9847: Unsafe generation of blowfish secret
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected
Upgrade to phpMyAdmin* 4.6.5, 4.4.15.9*, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-58/
CVE-2016-9848: phpinfo information leak value of sensitive (HttpOnly) cookies
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-59/
CVE-2016-9849: Username deny rules bypass (AllowRoot & Others) by using Null Byte
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-60/
CVE-2016-9850: Username rule matching issues
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-61/
CVE-2016-9851: With a crafted request parameter value it is possible to bypass the logout timeout.
All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9 or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-62/
CVE-2016-9852 CVE-2016-9853 CVE-2016-9854 CVE-2016-9855: Multiple full path disclosure vulnerabilities
All 4.6.x versions (prior to 4.6.5), and 4.4.x versions (prior to 4.4.15.9) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-63/
CVE-2016-9856 CVE-2016-9857: Multiple XSS vulnerabilities
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-64/
CVE-2016-9858 CVE-2016-9859 CVE-2016-9860: We consider these vulnerabilities to be of moderate severity.
All 4.6.x versions , 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-65/
CVE-2016-9861Bypass white-list protection for URL redirection
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-66/
CVE-2016-9864: Multiple SQL injection vulnerabilities
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-69/
CVE-2016-9865: Incorrect serialized string parsing
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
CVE-2016-9866: CSRF token not stripped from the URL
All 4.6.x versions (prior to 4.6.5), 4.4.x versions (prior to 4.4.15.9), and 4.0.x versions (prior to 4.0.10.18) are affected.
Upgrade to phpMyAdmin 4.6.5, 4.4.15.9, 4.0.10.18, or newer or apply patch.
Reference:
https://www.phpmyadmin.net/security/PMASA-2016-71/
(from redmine: issue id 6597, created on 2016-12-29, closed on 2017-01-03)
- Relations:
- parent #6593 (closed)
- Changesets:
- Revision 3c5da8c4 by Sergei Lukin on 2017-01-02T14:55:15Z:
main/phpmyadmin: security upgrade to 4.4.15.9 - fixes #6597
CVE-2016-9847: Unsafe generation of blowfish secret
CVE-2016-9848: phpinfo information leak value of sensitive (HttpOnly) cookies
CVE-2016-9849: Username deny rules bypass (AllowRoot & Others) by using Null Byte
CVE-2016-9850: Username rule matching issues
CVE-2016-9851: With a crafted request parameter value it is possible to bypass the logout timeout.
CVE-2016-9852 CVE-2016-9853 CVE-2016-9854 CVE-2016-9855: Multiple full path disclosure vulnerabilities
CVE-2016-9856 CVE-2016-9857: Multiple XSS vulnerabilities
CVE-2016-9858 CVE-2016-9859 CVE-2016-9860: We consider these vulnerabilities to be of moderate severity.
CVE-2016-9861: Bypass white-list protection for URL redirection
CVE-2016-9864: Multiple SQL injection vulnerabilities
CVE-2016-9865: Incorrect serialized string parsing
CVE-2016-9866: CSRF token not stripped from the URL
4.4.15.9 is minor security upgrade
https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/