Bug 908363 (CVE-2014-9218) - VUL-0: CVE-2014-9218: phpMyAdmin: DoS vulnerability with long passwords
Summary: VUL-0: CVE-2014-9218: phpMyAdmin: DoS vulnerability with long passwords
Status: RESOLVED FIXED
Alias: CVE-2014-9218
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Andreas Stieger
QA Contact: Security Team bot
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard: CVSSv2:NVD:CVE-2014-9218:5.0:(AV:N/A...
Keywords:
Depends on: CVE-2014-8958 CVE-2014-8959 CVE-2014-8960 CVE-2014-8961
Blocks:
  Show dependency treegraph
 
Reported: 2014-12-04 12:26 UTC by Andreas Stieger
Modified: 2019-05-01 16:34 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2014-12-04 12:26:26 UTC 
From http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php

> Announcement-ID: PMASA-2014-17
> Date: 2014-12-03
> Summary: DoS vulnerability with long passwords.
> Description: With very long passwords it was possible to initiate a denial of service attack on phpMyAdmin.
> Severity: We consider this vulnerability to be serious.
> Mitigation factor: This vulnerability can be mitigated by configuring throttling in the webserver.
> Affected Versions: Versions 4.0.x (prior to 4.0.10.7), 4.1.x (prior to 4.1.14.8) and 4.2.x (prior to 4.2.13.1) are affected.
> Solution: Upgrade to phpMyAdmin 4.0.10.7 or newer, or 4.1.14.8 or newer, or 4.2.13.1 or newer, or apply the patch listed below.
> Assigned CVE ids: CVE-2014-9218
> CWE ids: CWE-661 CWE-400
> Patches: 
> The following commits have been made to fix this issue:
>     1ac863c7573d12012374d5d41e5c7dc5505ea6e1
> The following commits have been made on the 4.1 branch to fix this issue:
>     62b2c918d26cc78d1763945e3d44d1a63294a819
> The following commits have been made on the 4.0 branch to fix this issue:
>     095729d81205f15f40d216d25917017da4c2fff8
Comment 1 Andreas Stieger 2014-12-04 12:34:31 UTC 
Submitted to openSUSE:Factory https://build.opensuse.org/request/show/264015
Eric, as you seem to follow this package closely, would you like to look into the the maintenance update for 12.3 through 13.2?
Comment 2 Andreas Stieger 2014-12-04 13:43:53 UTC 
openSUSE:12.3:Update has 4.1.14.6, 
pending incident openSUSE:Maintenance:3228 to in 4.1.14.7,
fix is in 4.1.14.8

openSUSE:13.1:Update has 4.1.14.6,
pending incident openSUSE:Maintenance:3228 to in 4.1.14.7,
fix is in 4.1.14.8

openSUSE:13.2:Update has 4.2.10.1,
pending incident openSUSE:Maintenance:3228 to 4.2.12,
fix is in 4.2.13.1

Maintenance release request for the previous bug 906485, bug 906486 bug 906487 bug 906488 is https://build.opensuse.org/request/show/262564
Comment 3 Andreas Stieger 2014-12-04 19:25:18 UTC 
Please review maintenance request:
https://build.opensuse.org/request/show/264084
Comment 4 Bernhard Wiedemann 2014-12-05 21:00:22 UTC 
This is an autogenerated message for OBS integration:
This bug (908363) was mentioned in
https://build.opensuse.org/request/show/264212 13.2+13.1+12.3 / phpMyAdmin
Comment 5 Swamp Workflow Management 2014-12-15 12:05:23 UTC 
openSUSE-SU-2014:1636-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 908363,908364
CVE References: CVE-2014-9218,CVE-2014-9219
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.2.13.1-8.1
openSUSE 13.1 (src):    phpMyAdmin-4.1.14.8-28.1
openSUSE 12.3 (src):    phpMyAdmin-4.1.14.8-1.38.1
Comment 6 Johannes Segitz 2015-02-24 13:15:03 UTC 
all updates released