Debian Bug report logs -
#930017
phpmyadmin: CVE-2019-12616: PMASA-2019-4
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#930017
; Package src:phpmyadmin
.
(Wed, 05 Jun 2019 09:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Thijs Kinkhorst <thijs@debian.org>
.
(Wed, 05 Jun 2019 09:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Version: 4:4.6.6-4
Severity: grave
Tags: security upstream
Justification: user security hole
Control: found -1 4:4.6.6-5
Hi,
The following vulnerability was published for phpmyadmin.
CVE-2019-12616[0]:
| An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability
| was found that allows an attacker to trigger a CSRF attack against a
| phpMyAdmin user. The attacker can trick the user, for instance through
| a broken <img> tag pointing at the victim's phpMyAdmin database,
| and the attacker can potentially deliver a payload (such as a specific
| INSERT or DELETE statement) to the victim.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12616
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12616
[1] https://www.phpmyadmin.net/security/PMASA-2019-4/
Regards,
Salvatore
Marked as found in versions phpmyadmin/4:4.6.6-5.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to submit@bugs.debian.org
.
(Wed, 05 Jun 2019 09:30:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#930017
; Package src:phpmyadmin
.
(Wed, 05 Jun 2019 22:39:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Matthias Blümel <blaimi@blaimi.de>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Wed, 05 Jun 2019 22:39:03 GMT) (full text, mbox, link).
Message #12 received at 930017@bugs.debian.org (full text, mbox, reply):
I updated the merge-request
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/6
with patches for stretch of the two new PMASA-2019-{3,4}
I also updated
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/5
for jessie and PMASA-2019-4 (CVE-2019-12616)
PMASA-2019-3 (CVE-2019-11768) does not affect jessie. This bug came
with
https://github.com/phpmyadmin/phpmyadmin/commit/e04f56a04f506c1a0a884c81c209ae2ffbf80baf
in PhpMyAdmin 4.3.0alpha1
PMASA-2019-3 (CVE-2019-11768) does not yet have a debian-bug. how
should this be done? by the security-team via the security-tracker? can
I do this? how do i reference all the stuff?
BTW: Why is jessie mentioned in the security-tracker of this CVE but
not in this bug?
Changed Bug title to 'phpmyadmin: PMASA-2019-4/' from 'phpmyadmin: CVE-2019-12616'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 06 Jun 2019 07:21:02 GMT) (full text, mbox, link).
Changed Bug title to 'phpmyadmin: PMASA-2019-4: CVE-2019-12616' from 'phpmyadmin: PMASA-2019-4/'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 06 Jun 2019 07:21:04 GMT) (full text, mbox, link).
Changed Bug title to 'phpmyadmin: CVE-2019-12616: PMASA-2019-4' from 'phpmyadmin: PMASA-2019-4: CVE-2019-12616'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Thu, 06 Jun 2019 07:33:07 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:56:17 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.