Security update for phpMyAdmin (important)

phpMyAdmin was updated to version 4.4.15.8 (2016-08-16) to fix the
following issues:

• Upstream changelog for 4.4.15.8:
  • Improve session cookie code for openid.php and signon.php example files
  • Full path disclosure in openid.php and signon.php example files
  • Unsafe generation of BlowfishSecret (when not supplied by the user)
  • Referrer leak when phpinfo is enabled
  • Use HTTPS for wiki links
  • Improve SSL certificate handling
  • Fix full path disclosure in debugging code
  • Administrators could trigger SQL injection attack against users
• other fixes
  • Remove Swekey support
• Security fixes: <a href=“https://www.phpmyadmin.net/security/”>https://www.phpmyadmin.net/security/</a>
  • Weaknesses with cookie encryption see PMASA-2016-29 (CVE-2016-6606,
    CWE-661)
  • Multiple XSS vulnerabilities see PMASA-2016-30 (CVE-2016-6607, CWE-661)
  • Multiple XSS vulnerabilities see PMASA-2016-31 (CVE-2016-6608, CWE-661)
  • PHP code injection see PMASA-2016-32 (CVE-2016-6609, CWE-661)
  • Full path disclosure see PMASA-2016-33 (CVE-2016-6610, CWE-661)
  • SQL injection attack see PMASA-2016-34 (CVE-2016-6611, CWE-661)
  • Local file exposure through LOAD DATA LOCAL INFILE see PMASA-2016-35
    (CVE-2016-6612, CWE-661)
  • Local file exposure through symlinks with UploadDir see PMASA-2016-36
    (CVE-2016-6613, CWE-661)
  • Path traversal with SaveDir and UploadDir see PMASA-2016-37
    (CVE-2016-6614, CWE-661)
  • Multiple XSS vulnerabilities see PMASA-2016-38 (CVE-2016-6615, CWE-661)
  • SQL injection vulnerability as control user see PMASA-2016-39
    (CVE-2016-6616, CWE-661)
  • SQL injection vulnerability see PMASA-2016-40 (CVE-2016-6617, CWE-661)
  • Denial-of-service attack through transformation feature see
    PMASA-2016-41 (CVE-2016-6618, CWE-661)
  • SQL injection vulnerability as control user see PMASA-2016-42
    (CVE-2016-6619, CWE-661)
  • Verify data before unserializing see PMASA-2016-43 (CVE-2016-6620,
    CWE-661)
  • SSRF in setup script see PMASA-2016-44 (CVE-2016-6621, CWE-661)
  • Denial-of-service attack with $cfg[‘AllowArbitraryServer’] = true and
    persistent connections see PMASA-2016-45 (CVE-2016-6622, CWE-661)
  • Denial-of-service attack by using for loops see PMASA-2016-46
    (CVE-2016-6623, CWE-661)
  • Possible circumvention of IP-based allow/deny rules with IPv6 and
    proxy server see PMASA-2016-47 (CVE-2016-6624, CWE-661)
  • Detect if user is logged in see PMASA-2016-48 (CVE-2016-6625, CWE-661)
  • Bypass URL redirection protection see PMASA-2016-49 (CVE-2016-6626,
    CWE-661)
  • Referrer leak see PMASA-2016-50 (CVE-2016-6627, CWE-661)
  • Reflected File Download see PMASA-2016-51 (CVE-2016-6628, CWE-661)
  • ArbitraryServerRegexp bypass see PMASA-2016-52 (CVE-2016-6629, CWE-661)
  • Denial-of-service attack by entering long password see PMASA-2016-53
    (CVE-2016-6630, CWE-661)
  • Remote code execution vulnerability when running as CGI see
    PMASA-2016-54 (CVE-2016-6631, CWE-661)
  • Denial-of-service attack when PHP uses dbase extension see
    PMASA-2016-55 (CVE-2016-6632, CWE-661)
  • Remove tode execution vulnerability when PHP uses dbase extension see
    PMASA-2016-56 (CVE-2016-6633, CWE-661)