Bug 920773 (CVE-2015-2206) - VUL-0: CVE-2015-2206: phpMyAdmin: MASA-2015-1 security update
Summary: VUL-0: CVE-2015-2206: phpMyAdmin: MASA-2015-1 security update
Status: RESOLVED FIXED
Alias: CVE-2015-2206
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: http://www.phpmyadmin.net/home_page/s...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-03-05 06:21 UTC by Marcus Meissner
Modified: 2015-07-06 11:31 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-03-05 06:21:11 UTC 
from package maintainer

http://www.phpmyadmin.net/home_page/security/PMASA-2015-1.php


PMASA-2015-1

Announcement-ID: PMASA-2015-1

Date: 2015-03-04
Summary

Risk of BREACH attack due to reflected parameter.
Description

With a large number of crafted requests it was possible to infer the CSRF token by a BREACH attack.
Severity

We consider this vulnerability to be non critical.
Mitigation factor

This vulnerability can only be exploited in the presence of another vulnerability that allows the attacker to inject JavaScript into victim's browser.

Affected Versions

Versions 4.0.x (prior to 4.0.10.9), 4.2.x (prior to 4.2.13.2) and 4.3.x (prior to 4.3.11.1) are affected.
Solution

Upgrade to phpMyAdmin 4.0.10.9 or newer, or 4.2.13.2 or newer, or 4.3.11.1 or newer, or apply the patch listed below.
References

Thanks to Jian Jiang (https://www.linkedin.com/pub/jian-jiang/3a/660/775) and Xiaofeng Zheng (iliwoy@gmail.com) for reporting this vulnerability.

Assigned CVE ids: CVE-2015-2206

CWE ids: CWE-661 CWE-352

Patches

The following commits have been made to fix this issue:

    b2f1e895038a5700bf8e81fb9a5da36cbdea0eeb

The following commits have been made on the 4.2 branch to fix this issue:

    d0f109dfe3b345094d7ceb49df0dbb68efc032ed

The following commits have been made on the 4.0 branch to fix this issue:

    e1a68ad02c5b1a516b3787ce114ef6a6be004630
Comment 1 Andreas Stieger 2015-03-05 08:18:23 UTC 
Affects openSUSE 13.1 and 13.2.
Does not affect SLE.
Comment 2 Andreas Stieger 2015-03-05 08:24:40 UTC 
Submitted to Factory.

Eric, will you be doing a maintenance update for 13.1 and 13.2?
If not would you like to learn? We can help.

https://en.opensuse.org/openSUSE:Package_maintenance
https://en.opensuse.org/openSUSE:Maintenance_update_process
Comment 3 Andreas Stieger 2015-06-26 14:44:24 UTC 
taking for a security maintenance update
Comment 4 Bernhard Wiedemann 2015-06-26 15:00:09 UTC 
This is an autogenerated message for OBS integration:
This bug (920773) was mentioned in
https://build.opensuse.org/request/show/313850 13.2+13.1 / phpMyAdmin
Comment 5 Swamp Workflow Management 2015-07-04 10:05:59 UTC 
openSUSE-SU-2015:1191-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 920773,930992,930993
CVE References: CVE-2015-2206,CVE-2015-3902,CVE-2015-3903
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.2.13.3-11.1
openSUSE 13.1 (src):    phpMyAdmin-4.2.13.3-31.1
Comment 6 Marcus Meissner 2015-07-04 13:41:18 UTC 
released
Comment 7 Andreas Stieger 2015-07-06 11:31:23 UTC 
released