[SECURITY] [DLA 1692-1] phpmyadmin security update

2019-02-27T13:58:51
ID DEBIAN:DLA-1692-1:03FB6
Type debian
Reporter Debian
Modified 2019-02-27T13:58:51

Description

Package : phpmyadmin Version : 4:4.2.12-2+deb8u5 CVE ID : CVE-2019-6799 Debian Bug : 920823

An information leak issue was discovered in phpMyAdmin. An attacker can read any file on the server that the web server's user can access. This is related to the mysql.allow_local_infile PHP configuration. When the AllowArbitraryServer configuration setting is set to false (default), the attacker needs a local MySQL account. When set to true, the attacker can exploit this with the use of a rogue MySQL server.

For Debian 8 "Jessie", this problem has been fixed in version 4:4.2.12-2+deb8u5.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS