[SECURITY] [DLA 834-1] phpmyadmin security update

2017-02-2406:34:25

lists.debian.org

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

9 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

55.4%

JSON

Package : phpmyadmin
Version : 4:3.4.11.1-2+deb7u8
CVE ID : CVE-2016-6621

A server-side request forgery vulnerability was reported for the setup
script in phpmyadmin, a MYSQL web administration tool. This flaw may
allow an unauthenticated attacker to brute-force MYSQL passwords,
detect internal hostnames or opened ports on the internal network.
Additionally there was a race condition between writing configuration
and administrator moving it allowing unauthenticated users to read or
alter it. Debian users who configured phpmyadmin via debconf and used
the default configuration for Apache 2 or Lighttpd were never affected.

For Debian 7 "Wheezy", these problems have been fixed in version
4:3.4.11.1-2+deb7u8.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

OSVersionArchitecturePackageVersionFilename
Debian8allphpmyadmin< 4:4.2.12-2+deb8u3phpmyadmin_4:4.2.12-2+deb8u3_all.deb
Debian7allphpmyadmin< 4:3.4.11.1-2+deb7u8phpmyadmin_4:3.4.11.1-2+deb7u8_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	8	all	phpmyadmin	< 4:4.2.12-2+deb8u3	phpmyadmin_4:4.2.12-2+deb8u3_all.deb
Debian	7	all	phpmyadmin	< 4:3.4.11.1-2+deb7u8	phpmyadmin_4:3.4.11.1-2+deb7u8_all.deb