[3.0] phpmyadmin: Multiple issues (CVE-2015-2206, CVE-2015-3902, CVE-2015-3903)
CVE-2015-2206: Risk of BREACH attack due to reflected parameter
Affected versions:
Versions 4.0.x (prior to 4.0.10.9), 4.2.x (prior to 4.2.13.2) and 4.3.x (prior to 4.3.11.1) are affected.
Upgrade to phpMyAdmin 4.0.10.9 or newer, or 4.2.13.2 or newer, or 4.3.11.1 or newer.
References:
https://www.phpmyadmin.net/security/PMASA-2015-1/
Patches:
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb
The following commits have been made on the 4.0 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/e1a68ad02c5b1a516b3787ce114ef6a6be004630
The following commits have been made on the 4.2 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/d0f109dfe3b345094d7ceb49df0dbb68efc032ed
CVE-2015-3902: XSRF/CSRF vulnerability in phpMyAdmin setup
Affected versions:
Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1).
Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer.
References:
https://www.phpmyadmin.net/security/PMASA-2015-2/
Patches
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83
The following commits have been made on the 4.0 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/fea1d39fef540afa4105c6fbcc849f7e516f3da8
The following commits have been made on the 4.2 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/c903ecf6751684b6af2d079c78b1f0d09ea2bd47
The following commits have been made on the 4.3 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/9817bd4030de949ba9ce4cd1b3f047e22d8f66bd
CVE-2015-3903: Vulnerability allowing man-in-the-middle attack on API call to GitHub.
Affected Versions
Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.
Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer.
References:
https://www.phpmyadmin.net/security/PMASA-2015-3/
Patches
The following commits have been made to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/5ebc4daf131dd3bd646326267f3e765d0249bbb4
The following commits have been made on the 4.0 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/e97e7fb0ea2dedfaa95c7dbe872027fb4bd4204c
The following commits have been made on the 4.2 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/0e18931d9e4b23053285b6fddf3493ca426ff684
The following commits have been made on the 4.3 branch to fix this issue:
https://github.com/phpmyadmin/phpmyadmin/commit/75499e790429c491840a0ad31d4de84aca215d23
(from redmine: issue id 4806, created on 2015-10-29, closed on 2015-12-02)
- Relations:
- parent #4803 (closed)
- Changesets:
- Revision a7ce8746 by Natanael Copa on 2015-12-02T10:02:21Z:
main/phpmyadmin: security upgrade to 4.2.13.3
CVE-2015-2206
CVE-2015-3902
CVE-2015-3903
fixes #4806