Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0357-1 Final 1 1 2016-02-07T14:20:15Z current 2016-02-07T14:20:15Z 2016-02-07T14:20:15Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin This update to phpMyAdmin 4.4.15.4 fixes the following issues (boo#964024) * CVE-2016-2038: Multiple full path disclosure vulnerabilities * CVE-2016-2039: Unsafe generation of XSRF/CSRF token * CVE-2016-2040: Multiple XSS vulnerabilities * CVE-2016-1927: Insecure password generation in JavaScript * CVE-2016-2041: Unsafe comparison of XSRF/CSRF token * CVE-2016-2042: Multiple full path disclosure vulnerabilities * CVE-2016-2043: XSS vulnerability in normalization page The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html E-Mail link for openSUSE-SU-2016:0357-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 phpMyAdmin-4.4.15.4-13.1 phpMyAdmin-4.4.15.4-13.1 as a component of openSUSE Leap 42.1 The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. CVE-2016-1927 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-1927.html CVE-2016-1927 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2016-2038 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2038.html CVE-2016-2038 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2039 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2039.html CVE-2016-2039 https://bugzilla.suse.com/964024 SUSE Bug 964024 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. CVE-2016-2040 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2040.html CVE-2016-2040 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2041 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2041.html CVE-2016-2041 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. CVE-2016-2042 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2042.html CVE-2016-2042 https://bugzilla.suse.com/964024 SUSE Bug 964024 Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. CVE-2016-2043 openSUSE Leap 42.1:phpMyAdmin-4.4.15.4-13.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00028.html https://www.suse.com/security/cve/CVE-2016-2043.html CVE-2016-2043 https://bugzilla.suse.com/964024 SUSE Bug 964024