Date: Tue, 25 Sep 2012 15:36:54 +0100 From: Matthew Seaman <matthew@freebsd.org> To: freebsd-ports@freebsd.org Subject: Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5) Message-ID: <5061C186.8090801@freebsd.org> In-Reply-To: <5061B556.3060306@infomarc.info> References: <5061B556.3060306@infomarc.info>
next in thread | previous in thread | raw e-mail | index | archive | help
Dear all, If you install phpMyAdmin from ports, you shouldn't be vulnerable to the security problem described in PMASA-2012-5: Firstly, the ports checks the SHA256 checksum of distributed tarballs, which should prevent this sort of tampering. Secondly, the distfile the port uses is phpMyAdmin-3.5.2.2-all-languages.tar.xz not the .zip -- and so far only the .zip is known to have been compromised. However, if you should see distfile checksum warnings when trying to install phpMyAdmin please do let me know about it, if possible including which sourceforge mirror you downloaded from and when. I hope it is needless to say this, but if the SHA256 checksum doesn't match then *don't install*. Cheers, Matthew -------- Original Message -------- Subject: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5) Date: Tue, 25 Sep 2012 09:44:54 -0400 From: Marc Delisle <marc@infomarc.info> To: phpmyadmin-news@lists.sf.net, phpmyadmin-users@lists.sf.net, phpmyadmin-devel@lists.sf.net Hi, the PMASA-2012-5 security advisory has been published on http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php. In short, a SourceForge.net mirror server was compromised, leading to the distribution of a doctored phpMyAdmin kit containing a backdoor. phpMyAdmin-3.5.2.2-all-languages.zip fetched from this mirror server is known to be affected. To our knowledge only one mirror is affected, which appears to be taken offline already. All other SourceForge.net mirrors are unaffected. phpMyAdmin security team
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5061C186.8090801>