phpmyadmin - security update

Several vulnerabilities have been fixed in phpMyAdmin, the web-based
MySQL administration interface.

• CVE-2016-1927
  The suggestPassword function relied on a non-secure random number
  generator which makes it easier for remote attackers to guess
  generated passwords via a brute-force approach.
• CVE-2016-2039
  CSRF token values were generated by a non-secure random number
  generator, which allows remote attackers to bypass intended access
  restrictions by predicting a value.
• CVE-2016-2040
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  authenticated users to inject arbitrary web script or HTML.
• CVE-2016-2041
  phpMyAdmin does not use a constant-time algorithm for comparing
  CSRF tokens, which makes it easier for remote attackers to bypass
  intended access restrictions by measuring time differences.
• CVE-2016-2560
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-2561
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-5099
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-5701
  For installations running on plain HTTP, phpMyAdmin allows remote
  attackers to conduct BBCode injection attacks against HTTP sessions
  via a crafted URI.
• CVE-2016-5705
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-5706
  phpMyAdmin allows remote attackers to cause a denial of service
  (resource consumption) via a large array in the scripts parameter.
• CVE-2016-5731
  A cross-site scripting (XSS) vulnerability allows remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-5733
  Multiple cross-site scripting (XSS) vulnerabilities allow remote
  attackers to inject arbitrary web script or HTML.
• CVE-2016-5739
  A specially crafted Transformation could leak information which
  a remote attacker could use to perform cross site request forgeries.

For the stable distribution (jessie), these problems have been fixed in
version 4:4.2.12-2+deb8u2.

For the unstable distribution (sid), these problems have been fixed in
version 4:4.6.3-1.

We recommend that you upgrade your phpmyadmin packages.