Security update for phpMyAdmin SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2015:1191-1 Final 1 1 2015-06-26T17:44:43Z current 2015-06-26T17:44:43Z 2015-06-26T17:44:43Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for phpMyAdmin phpMyAdmin was updated to 4.2.13.3 to fix three security issues. The following vulnerabilities were fixed: * CVE-2015-3902: CSRF vulnerability in setup (PMASA-2015-2, boo#930992) * CVE-2015-3903: Vulnerability allowing man-in-the-middle attack (PMASA-2015-3, boo#930993) * CVE-2015-2206: Risk of BREACH attack (PMASA-2015-1, boo#920773) Also contains all upstream bug fixes in the 4.2.13 branch. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html E-Mail link for openSUSE-SU-2015:1191-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings phpMyAdmin-4.2.13.3-31.1 libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests. CVE-2015-2206 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html https://www.suse.com/security/cve/CVE-2015-2206.html CVE-2015-2206 https://bugzilla.suse.com/920773 SUSE Bug 920773 Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file. CVE-2015-3902 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html https://www.suse.com/security/cve/CVE-2015-3902.html CVE-2015-3902 https://bugzilla.suse.com/930992 SUSE Bug 930992 libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. CVE-2015-3903 moderate Please Install the update. https://lists.opensuse.org/opensuse-updates/2015-07/msg00008.html https://www.suse.com/security/cve/CVE-2015-3903.html CVE-2015-3903 https://bugzilla.suse.com/930993 SUSE Bug 930993