[SECURITY] [DLA 406-1] phpmyadmin security update

2016-01-3022:52:45

lists.debian.org

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

6.6

Confidence

High

EPSS

0.004

Percentile

72.6%

JSON

Package : phpmyadmin
Version : 4:3.3.7-11
CVE ID : CVE-2016-2039 CVE-2016-2041

Several flaws were discovered in the CSRF authentication code of
phpMyAdmin.

CVE-2016-2039

The XSRF/CSRF token is generated with a weak algorithm using
functions that do not return cryptographically secure values.

CVE-2016-2041

The comparison of the XSRF/CSRF token parameter with the value saved
in the session is vulnerable to timing attacks. Moreover, the
comparison could be bypassed if the XSRF/CSRF token matches a
particular pattern.

OSVersionArchitecturePackageVersionFilename
Debian6allphpmyadmin< 4:3.3.7-11phpmyadmin_4:3.3.7-11_all.deb
Debian8allphpmyadmin< 4:4.2.12-2+deb8u2phpmyadmin_4:4.2.12-2+deb8u2_all.deb
Debian7allphpmyadmin< 4:3.4.11.1-2+deb7u3phpmyadmin_4:3.4.11.1-2+deb7u3_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	6	all	phpmyadmin	< 4:3.3.7-11	phpmyadmin_4:3.3.7-11_all.deb
Debian	8	all	phpmyadmin	< 4:4.2.12-2+deb8u2	phpmyadmin_4:4.2.12-2+deb8u2_all.deb
Debian	7	all	phpmyadmin	< 4:3.4.11.1-2+deb7u3	phpmyadmin_4:3.4.11.1-2+deb7u3_all.deb