-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1122
                        phpmyadmin security update
                               10 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           phpmyadmin
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Execute Arbitrary Code/Commands -- Existing Account            
                   Cross-site Scripting            -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-1879 CVE-2013-5003 CVE-2013-5002
                   CVE-2013-4996 CVE-2013-4995 

Reference:         ESB-2014.0202

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-2975

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-2975-1                   security@debian.org
http://www.debian.org/security/                           Thijs Kinkhorst               
July 09, 2014                          http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : phpmyadmin
CVE ID         : CVE-2013-4995 CVE-2013-4996 CVE-2013-5002 CVE-2013-5003 
                 CVE-2014-1879

Several vulnerabilities have been discovered in phpMyAdmin, a tool to
administer MySQL over the web. The Common Vulnerabilities and Exposures
project identifies the following problems:

CVE-2013-4995

    Authenticatd users could inject arbitrary web script or HTML
    via a crafted SQL query.

CVE-2013-4996

    Cross site scripting was possible via a crafted logo URL in
    the navigation panel or a crafted entry in the Trusted Proxy list.

CVE-2013-5002

    Authenticated users could inject arbitrary web script or HTML
    via a crafted pageNumber value in Schema Export.

CVE-2013-5003

    Authenticated users could execute arbitrary SQL commands as
    the phpMyAdmin 'control user' via the scale parameter PMD PDF
    export and the pdf_page_number parameter in Schema Export.

CVE-2014-1879

    Authenticated users could inject arbitrary web script or HTML
    via a crafted file name in the Import function.

For the stable distribution (wheezy), these problems have been fixed in
version 4:3.4.11.1-2+deb7u1.

For the unstable distribution (sid), these problems have been fixed in
version 4:4.2.5-1.

We recommend that you upgrade your phpmyadmin packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: http://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJTvY2OAAoJEFb2GnlAHawERZwH+wbqvBCPR5awNqCCyEVhMITw
wtHO9fEK19jIZ1TklgQ0Iv6AIFocwfOrt/xqfJa3hKsisp1GdQFkLL/zWzYnkHN4
gC1oQ6mhrPGnJTVqCK1eyeUTrRB23RHQGIKuebWqk5NvjyuusJoUx2VwgtU712r4
VbIuggURhtpFXWjdNUCy/iK3PkE0yv58OQrr9OmN0rMYfet3fSVKijFBrcIurGBe
3a/rAXjV/sQ+4+75XkcOWBQODo6BzcyZ5mvkpdtPvHsGuqyyNHb36RdpAyrFg93H
i3TwYO9QDyJXftuyIIK0X1YLK5hg64lmasOy3EmkTtsXZcW2PTfk38B3qDCU66Q=
=QrRu
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU73QphLndAQH1ShLAQIDHA//cgN5cYtNuvSsNlKGRjm4OIBmv6MOOKCf
GkmuKO9+iZmSZmRnoUVIJ9xqHOVDG4tOrfC+Xa5ENSG0QTgDUVqbHxiFpFWMnwhr
5Lvv3OXf225do4fIwEg0HwB68E+0cA3s++L97ihd6OCxlV21Ak6yZZCOs4h20xr3
JZCgt+b6Gxtm/WDtp5zEXMWN82VsSt5j7iS9VpMaJ/EtcFtI1/UIl18skIFCfZNr
0nfd2tSKUL2z2wv1DBsippbYqEM4RmGxyyHa2u+2brep2PdL1mD2nMSUO5zQ4Rrl
8WjNcrT6XTnHJTiUnOAHKq/e+7YKpdoFrizJEzRvRHjBNnRApphbXvSNbRFpGOT7
9w768gEKaoL7+ex4301PhCRPfUX+GWTAlL5PHb0+aWBkjhRv+rMLRZQBHIKL2puQ
L8p8XI29eAfEH0RZ6Cn6DzkBd7Ua4HhaAOJjjnduCBbrfimye2UWs9u7B8x5xogP
4++2eDFyeoI5blPLNWD8qOBRCfI7QW5nQ/v1rH6g0AVAMGeA/086anz3kN2aKnnE
QzGrEQBVqGAB9JcAzEY0yqoJqJec+7sHIwB/URX3t8lutphbex760Y7YdgmJWOGa
i5MMvwAF6ZFYQbRgLhKw7FgB/7N8JAOAQOtAwLCM5/nCEjBU6j9qamZ6EXT7p2II
IH17gnTHdU0=
=hAZP
-----END PGP SIGNATURE-----