Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Sep 2012 15:36:54 +0100
From:      Matthew Seaman <matthew@freebsd.org>
To:        freebsd-ports@freebsd.org
Subject:   Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Message-ID:  <5061C186.8090801@freebsd.org>
In-Reply-To: <5061B556.3060306@infomarc.info>
References:  <5061B556.3060306@infomarc.info>

next in thread | previous in thread | raw e-mail | index | archive | help

Dear all,

If you install phpMyAdmin from ports, you shouldn't be vulnerable to the
security problem described in PMASA-2012-5:

   Firstly, the ports checks the SHA256 checksum of distributed
   tarballs, which should prevent this sort of tampering.

   Secondly, the distfile the port uses is
       phpMyAdmin-3.5.2.2-all-languages.tar.xz
   not the .zip -- and so far only the .zip is known to have been
   compromised.

However, if you should see distfile checksum warnings when trying to
install phpMyAdmin please do let me know about it, if possible including
which sourceforge mirror you downloaded from and when.  I hope it is
needless to say this, but if the SHA256 checksum doesn't match then
*don't install*.

	Cheers,

	Matthew

-------- Original Message --------
Subject: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Date: Tue, 25 Sep 2012 09:44:54 -0400
From: Marc Delisle <marc@infomarc.info>
To: phpmyadmin-news@lists.sf.net, phpmyadmin-users@lists.sf.net,
phpmyadmin-devel@lists.sf.net

Hi,
the PMASA-2012-5 security advisory has been published on
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php.

In short, a SourceForge.net mirror server was compromised, leading to
the distribution of a doctored phpMyAdmin kit containing a backdoor.

phpMyAdmin-3.5.2.2-all-languages.zip fetched from this mirror server is
known to be affected. To our knowledge only one mirror is affected,
which appears to be taken offline already. All other SourceForge.net
mirrors are unaffected.

phpMyAdmin security team



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5061C186.8090801>