Bug 930993 (CVE-2015-3903) - VUL-1: CVE-2015-3903: phpMyAdmin: Vulnerability allowing man-in-the-middle attack on API call to GitHub (PMASA-2015-3)
Summary: VUL-1: CVE-2015-3903: phpMyAdmin: Vulnerability allowing man-in-the-middle at...
Status: RESOLVED FIXED
Alias: CVE-2015-3903
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE 13.2
: P4 - Low : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/116793/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-15 08:14 UTC by Andreas Stieger
Modified: 2015-07-06 11:31 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-05-15 08:14:23 UTC 
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php

Announcement-ID: PMASA-2015-3
Date: 2015-05-13
Summary: Vulnerability allowing man-in-the-middle attack on API call to GitHub.
Description

A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack.

Severity: We consider this vulnerability to be serious.

Affected Versions: Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected.
Solution

Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below.
References

Thanks to Maksymilian Arciemowicz of http://cxsecurity.com for reporting this vulnerability.

Assigned CVE ids: CVE-2015-3903

CWE ids: CWE-661 CWE-295
Patches

The following commits have been made to fix this issue:

    5ebc4daf131dd3bd646326267f3e765d0249bbb4

The following commits have been made on the 4.3 branch to fix this issue:

    75499e790429c491840a0ad31d4de84aca215d23

The following commits have been made on the 4.2 branch to fix this issue:

    0e18931d9e4b23053285b6fddf3493ca426ff684

The following commits have been made on the 4.0 branch to fix this issue:

    e97e7fb0ea2dedfaa95c7dbe872027fb4bd4204c


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1221581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3903
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-3903.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3903


Already fixed in server:php:applications / phpMyAdmin
Update for 13.1 and 13.2 pending. Eric if you are interested you can submit this as a maintenance update, we can assist you, or I can handle the update for the distribution.
Comment 1 Swamp Workflow Management 2015-05-15 22:00:27 UTC 
bugbot adjusting priority
Comment 2 Andreas Stieger 2015-06-26 14:44:23 UTC 
taking for a security maintenance update
Comment 3 Bernhard Wiedemann 2015-06-26 15:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (930993) was mentioned in
https://build.opensuse.org/request/show/313850 13.2+13.1 / phpMyAdmin
Comment 4 Swamp Workflow Management 2015-07-04 10:06:22 UTC 
openSUSE-SU-2015:1191-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 920773,930992,930993
CVE References: CVE-2015-2206,CVE-2015-3902,CVE-2015-3903
Sources used:
openSUSE 13.2 (src):    phpMyAdmin-4.2.13.3-11.1
openSUSE 13.1 (src):    phpMyAdmin-4.2.13.3-31.1
Comment 5 Andreas Stieger 2015-07-06 11:31:22 UTC 
released