Date: Tue, 1 Mar 2016 07:30:20 +0000 (UTC) From: Matthew Seaman <matthew@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r409851 - head/security/vuxml Message-ID: <201603010730.u217UKOL077597@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: matthew Date: Tue Mar 1 07:30:20 2016 New Revision: 409851 URL: https://svnweb.freebsd.org/changeset/ports/409851 Log: Document the latest round of phpMyAdmin vulnerabilities. Lots of XSS problems, and a man-in-the-middle attack on API calls to GitHub. Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Tue Mar 1 06:40:57 2016 (r409850) +++ head/security/vuxml/vuln.xml Tue Mar 1 07:30:20 2016 (r409851) @@ -58,6 +58,73 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="f682a506-df7c-11e5-81e4-6805ca0b3d42"> + <topic>phpmyadmin -- multiple XSS and a man-in-the-middle vulnerability</topic> + <affects> + <package> + <name>phpmyadmin</name> + <range><ge>4.5.0</ge><lt>4.5.5.1</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>The phpMyAdmin development team reports:</p> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-10/">; + <p>XSS vulnerability in SQL parser.</p> + <p>Using a crafted SQL query, it is possible to trigger an XSS + attack through the SQL query page.</p> + <p>We consider this vulnerability to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-11/">; + <p>Multiple XSS vulnerabilities.</p> + <p>By sending a specially crafted URL as part of the HOST + header, it is possible to trigger an XSS attack.</p> + <p>A weakness was found that allows an XSS attack with Internet + Explorer versions older than 8 and Safari on Windows using a + specially crafted URL.</p> + <p>Using a crafted SQL query, it is possible to trigger an XSS + attack through the SQL query page.</p> + <p>Using a crafted parameter value, it is possible to trigger + an XSS attack in user accounts page.</p> + <p>Using a crafted parameter value, it is possible to trigger + an XSS attack in zoom search page.</p> + <p>We consider this vulnerability to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-12/">; + <p>Multiple XSS vulnerabilities.</p> + <p>With a crafted table/column name it is possible to trigger + an XSS attack in the database normalization page.</p> + <p>With a crafted parameter it is possible to trigger an XSS + attack in the database structure page.</p> + <p>With a crafted parameter it is possible to trigger an XSS + attack in central columns page.</p> + <p>We consider this vulnerability to be non-critical.</p> + </blockquote> + <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-13/">; + <p>Vulnerability allowing man-in-the-middle attack on API + call to GitHub.</p> + <p>A vulnerability in the API call to GitHub can be exploited + to perform a man-in-the-middle attack.</p> + <p>We consider this vulnerability to be serious.</p> + </blockquote> + </body> + </description> + <references> + <url>https://www.phpmyadmin.net/security/PMASA-2016-10/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-11/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-12/</url>; + <url>https://www.phpmyadmin.net/security/PMASA-2016-13/</url>; + <cvename>CVE-2016-2559</cvename> + <cvename>CVE-2016-2560</cvename> + <cvename>CVE-2016-2561</cvename> + <cvename>CVE-2016-2562</cvename> + </references> + <dates> + <discovery>2016-02-29</discovery> + <entry>2016-03-01</entry> + </dates> + </vuln> + <vuln vid="45117749-df55-11e5-b2bd-002590263bf5"> <topic>wireshark -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201603010730.u217UKOL077597>