Security update to phpMyAdmin 4.4.15.4 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0378-1 Final 1 1 2016-02-08T10:05:30Z current 2016-02-08T10:05:30Z 2016-02-08T10:05:30Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update to phpMyAdmin 4.4.15.4 Security update to phpMyAdmin 4.4.15.4 The followinng vulnerabilities were fixed: (boo#964024) * CVE-2016-2038: Multiple full path disclosure vulnerabilities * CVE-2016-2039: Unsafe generation of XSRF/CSRF token * CVE-2016-2040: Multiple XSS vulnerabilities * CVE-2016-1927: Insecure password generation in JavaScript * CVE-2016-2041: Unsafe comparison of XSRF/CSRF token * CVE-2016-2042: Multiple full path disclosure vulnerabilities * CVE-2016-2043: XSS vulnerability in normalization page The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html E-Mail link for openSUSE-SU-2016:0378-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings phpMyAdmin-4.4.15.4-46.1 The suggestPassword function in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 relies on the Math.random JavaScript function, which makes it easier for remote attackers to guess passwords via a brute-force approach. CVE-2016-1927 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-1927.html CVE-2016-1927 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request, which reveals the full path in an error message. CVE-2016-2038 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2038.html CVE-2016-2038 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not properly generate CSRF token values, which allows remote attackers to bypass intended access restrictions by predicting a value. CVE-2016-2039 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2039.html CVE-2016-2039 https://bugzilla.suse.com/964024 SUSE Bug 964024 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 allow remote authenticated users to inject arbitrary web script or HTML via a (1) table name, (2) SET value, (3) search query, or (4) hostname in a Location header. CVE-2016-2040 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2040.html CVE-2016-2040 https://bugzilla.suse.com/964024 SUSE Bug 964024 libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x before 4.5.4 does not use a constant-time algorithm for comparing CSRF tokens, which makes it easier for remote attackers to bypass intended access restrictions by measuring time differences. CVE-2016-2041 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2041.html CVE-2016-2041 https://bugzilla.suse.com/964024 SUSE Bug 964024 phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote attackers to obtain sensitive information via a crafted request to (1) libraries/phpseclib/Crypt/AES.php or (2) libraries/phpseclib/Crypt/Rijndael.php, which reveals the full path in an error message. CVE-2016-2042 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2042.html CVE-2016-2042 https://bugzilla.suse.com/964024 SUSE Bug 964024 Cross-site scripting (XSS) vulnerability in the goToFinish1NF function in js/normalization.js in phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote authenticated users to inject arbitrary web script or HTML via a table name to the normalization page. CVE-2016-2043 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2016-02/msg00049.html https://www.suse.com/security/cve/CVE-2016-2043.html CVE-2016-2043 https://bugzilla.suse.com/964024 SUSE Bug 964024