-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------ Debian Security Advisory DSA-2097-1 security@debian.org http://www.debian.org/security/ Thijs Kinkhorst August 29, 2010 http://www.debian.org/security/faq - ------------------------------------------------------------------------ Package : phpmyadmin Vulnerability : insufficient input sanitising Problem type : remote Debian-specific: no CVE Id(s) : CVE-2010-3055 CVE-2010-3056 Several remote vulnerabilities have been discovered in phpMyAdmin, a tool to administer MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2010-3055 The configuration setup script does not properly sanitise its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request. In Debian, the setup tool is protected through Apache HTTP basic authentication by default. CVE-2010-3056 Various cross site scripting issues have been discovered that allow a remote attacker to inject arbitrary web script or HTML. For the stable distribution (lenny), these problems have been fixed in version 2.11.8.1-5+lenny5. For the testing (squeeze) and unstable distribution (sid), these problems have been fixed in version 3.3.5.1-1. We recommend that you upgrade your phpmyadmin package. Upgrade instructions - -------------------- wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 5.0 alias lenny - -------------------------------- Source archives: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1.orig.tar.gz Size/MD5 checksum: 2870014 075301d16404c2d7d58216efc14f7a50 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5.dsc Size/MD5 checksum: 1548 157a4c31a2bb6cd6b3fe514103a9d163 http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5.diff.gz Size/MD5 checksum: 73780 6b2c2c93159973911fed8513c91dc7d1 Architecture independent packages: http://security.debian.org/pool/updates/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny5_all.deb Size/MD5 checksum: 2885996 2c4d27646253a7f5da105f26e22abb0d These files will probably be moved into the stable distribution on its next update. - --------------------------------------------------------------------------------- For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: debian-security-announce@lists.debian.org Package info: `apt-cache show ' and http://packages.debian.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJMejWEAAoJEOxfUAG2iX5743oH/A/F9FTv9ECa3wa2xH3V/t56 VapHDGcZ0K7J5OH3d4884BSeSPebgfmhqU0dJ4qXMjLChOexybuC1hLvl1kN8LOn IygjidP5lnfgmCUMO0+9BVYtq6tW9bBJmy4PSjvRC4SnGz6H1hqEHUH6f7k3+Bek ZreAK1GWiIN/uryav9bfEajv2+u3rCRM6l1Wob472ssa8lT/g5qfPvFHJ7sE0BOy XRxjNc3ysSLZoFnr1o+UQBX5oX/Xrt4r+/Q5VmrMqRpIclpwHe+tW41nuXQKtopw to7M6z3ZioG9YXRN26zAx3F25Thmd+DWG/UN7XuCLdRF4umwQSaRGm89iSHvltY= =LnaB -----END PGP SIGNATURE-----