Bugzilla – Bug 945420
VUL-1: CVE-2015-6830 phpMyAdmin: Bypassing the reCaptcha test
Last modified: 2015-10-05 09:09:28 UTC
https://www.phpmyadmin.net/security/PMASA-2015-4/ Announcement-ID: PMASA-2015-4 Date: 2015-09-08 Summary: Vulnerability that allows bypassing the reCaptcha test Description: This vulnerability allows to complete the reCaptcha test and subsequently perform a brute force attack to guess user credentials without having to complete further reCaptcha tests. Severity We consider this vulnerability to be non critical since reCaptcha is an additional opt-in security measure. Mitigation factor This vulnerability only affect installations with reCaptcha test enabled. Affected Versions: Versions 4.3.x (prior to 4.3.13.2) and 4.4.x (prior to 4.4.14.1) are affected. Solution Upgrade to phpMyAdmin 4.3.13.2 or newer, or 4.4.14.1 or newer or apply patch listed below. References Assigned CVE ids: CVE-2015-6830 CWE ids: CWE-661 CWE-307 Patches The following commits have been made on the 4.3 branch to fix this issue: 0314e67900f01410bc8c81c58a40dc0515e3c91d The following commits have been made on the 4.4 branch to fix this issue: 785f4e2711848eb8945894199d5870253a88584e References: https://bugzilla.redhat.com/show_bug.cgi?id=1261813 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-6830 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-6830.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6830
openSUSE:Factory 4.4.14 affected openSUSE:Leap:42.1 4.4.14 affected server:php:applications 4.4.14 affected no previous release affected
(In reply to Andreas Stieger from comment #1) > no previous release affected Checked again, the relevant part of the patch applies to the 4.2.13.3 release in openSUSE 13.1 and 13.2, except for changelog and tests. reCaptcha is a feature in that branch: https://github.com/phpmyadmin/phpmyadmin/commits/RELEASE_4_2_13_3/libraries/plugins/auth/AuthenticationCookie.class.php I would say that updates to 13.1 and 13.2 are required, or 4.4.14.1 while we are at it to stay on a maintained version.
I think we should update 13.1 and 13.2 because phpmyadmin 4.2 is outdated. This bug is assigned me. But what should i do? I have no rights to make an update to 13.1 and 13.2. Or can i do this? How?
(In reply to Eric Schirra from comment #3) > I think we should update 13.1 and 13.2 because phpmyadmin 4.2 is outdated. This is okay for me. > This bug is assigned me. But what should i do? > I have no rights to make an update to 13.1 and 13.2. > Or can i do this? How? Instructions are here: https://en.opensuse.org/openSUSE:Package_maintenance When done with the submission, assign the bug back to the security team and we will review/handle the update for 13.1/13.2. Feel free to set this bug to needinfo security if there are any problems.
okay. I have made request for version 4.4.15 from server:php:application.
This is an autogenerated message for OBS integration: This bug (945420) was mentioned in https://build.opensuse.org/request/show/332732 13.1 / phpMyAdmin https://build.opensuse.org/request/show/332734 13.2 / phpMyAdmin
accepted
openSUSE-SU-2015:1674-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 945420 CVE References: CVE-2015-6830 Sources used: openSUSE 13.2 (src): phpMyAdmin-4.4.15-14.1 openSUSE 13.1 (src): phpMyAdmin-4.4.15-34.1