Date: Tue, 25 Sep 2012 15:36:54 +0100 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-ports@freebsd.org Subject: Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5) Message-ID: <5061C186.8090801@freebsd.org> In-Reply-To: <5061B556.3060306@infomarc.info> References: <5061B556.3060306@infomarc.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear all,
If you install phpMyAdmin from ports, you shouldn't be vulnerable to the
security problem described in PMASA-2012-5:
Firstly, the ports checks the SHA256 checksum of distributed
tarballs, which should prevent this sort of tampering.
Secondly, the distfile the port uses is
phpMyAdmin-3.5.2.2-all-languages.tar.xz
not the .zip -- and so far only the .zip is known to have been
compromised.
However, if you should see distfile checksum warnings when trying to
install phpMyAdmin please do let me know about it, if possible including
which sourceforge mirror you downloaded from and when. I hope it is
needless to say this, but if the SHA256 checksum doesn't match then
*don't install*.
Cheers,
Matthew
-------- Original Message --------
Subject: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Date: Tue, 25 Sep 2012 09:44:54 -0400
From: Marc Delisle <marc@infomarc.info>
To: phpmyadmin-news@lists.sf.net, phpmyadmin-users@lists.sf.net,
phpmyadmin-devel@lists.sf.net
Hi,
the PMASA-2012-5 security advisory has been published on
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php.
In short, a SourceForge.net mirror server was compromised, leading to
the distribution of a doctored phpMyAdmin kit containing a backdoor.
phpMyAdmin-3.5.2.2-all-languages.zip fetched from this mirror server is
known to be affected. To our knowledge only one mirror is affected,
which appears to be taken offline already. All other SourceForge.net
mirrors are unaffected.
phpMyAdmin security team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5061C186.8090801>