[Secure-testing-commits] r41041 - data/CVE
Antoine Beaupré
anarcat at moszumanska.debian.org
Thu Apr 21 15:44:08 UTC 2016
Author: anarcat
Date: 2016-04-21 15:44:08 +0000 (Thu, 21 Apr 2016)
New Revision: 41041
Modified:
data/CVE/list
Log:
Summary: clarify status of CVE-2016-2039 (SNAFU) and CVE-2016-2042
(introduced with 2039)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2016-04-21 15:24:48 UTC (rev 41040)
+++ data/CVE/list 2016-04-21 15:44:08 UTC (rev 41041)
@@ -5855,6 +5855,7 @@
CVE-2016-2042 (phpMyAdmin 4.4.x before 4.4.15.3 and 4.5.x before 4.5.4 allows remote ...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <not-affected> (vulnerable code not present)
+ NOTE: introduced as part of the CVE-2016-2039 fix
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-6/
CVE-2016-2041 (libraries/common.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...)
{DLA-406-1}
@@ -5869,9 +5870,10 @@
CVE-2016-2039 (libraries/session.inc.php in phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x ...)
{DLA-406-1}
- phpmyadmin 4:4.5.4-1
- NOTE: squeeze patch backport trivial to wheezy
+ NOTE: squeeze patch was actually incorrect and probably not functional: libraries/phpseclib/Crypt/Random.php needs some engine (e.g. AES) to work
NOTE: https://www.phpmyadmin.net/security/PMASA-2016-2/
- NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd
+ NOTE: https://github.com/phpmyadmin/phpmyadmin/commit/6fe54dfa000dd6f43f237e859781fad7111ac1bd is not sufficient: one needs 29b297f to import more bits from phpseclib or simply import all of phpseclib.
+ NOTE: such a fix needs to avoid introducing a new vulnerability as well, upstream introduced CVE-2016-2042 as part of this
CVE-2016-2038 (phpMyAdmin 4.0.x before 4.0.10.13, 4.4.x before 4.4.15.3, and 4.5.x ...)
- phpmyadmin 4:4.5.4-1
[squeeze] - phpmyadmin <no-dsa> (minor issue)
More information about the Secure-testing-commits
mailing list