MDVSA-2009:026-1

Package name

phpMyAdmin

Date

2009-02-26

Advisory ID

MDVSA-2009:026-1

Affected versions

CS4.0 x86_64 , CS4.0 i586

Problem description

Cross-site scripting (XSS) vulnerability in pmd_pdf.php allows
remote attackers to inject arbitrary web script or HTML by
using db script parameter when register_global php parameter is
enabled (CVE-2008-4775).

Cross-site request forgery (CSRF) vulnerability in tbl_structure.php
allows remote attackers perform SQL injection and execute arbitrary
code by using table script parameter (CVE-2008-5621).

Multiple cross-site request forgery (CSRF) vulnerabilities in allows
remote attackers perform SQL injection by using unknown vectors
related to table script parameter (CVE-2008-5622).

This update provide the fix for these security issues.

Update:

The previous update packages wasn't signed, this time they are.

Updated packages

CS4.0 x86_64

 097bac4c6546ea1574c0c29bea0bde0f  corporate/4.0/x86_64/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.noarch.rpm 
 b0a1279e3623d5b6d2afef8dc2c69352  corporate/4.0/SRPMS/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.src.rpm

CS4.0 i586

 7ea694ed2ea2614175a95caa01f24cb4  corporate/4.0/i586/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.noarch.rpm 
 b0a1279e3623d5b6d2afef8dc2c69352  corporate/4.0/SRPMS/phpMyAdmin-2.11.9.4-0.2.20060mlcs4.src.rpm

References

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5622
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5621
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4775