115 lines
4.4 KiB
JSON
115 lines
4.4 KiB
JSON
{
|
|
"Definition": [
|
|
{
|
|
"ID": "oval:org.altlinux.errata:def:20161527",
|
|
"Version": "oval:org.altlinux.errata:def:20161527",
|
|
"Class": "patch",
|
|
"Metadata": {
|
|
"Title": "ALT-PU-2016-1527: package `phpMyAdmin` update to version 4.6.1-alt1",
|
|
"AffectedList": [
|
|
{
|
|
"Family": "unix",
|
|
"Platforms": [
|
|
"ALT Linux branch c9f2"
|
|
],
|
|
"Products": [
|
|
"ALT SPWorkstation",
|
|
"ALT SPServer"
|
|
]
|
|
}
|
|
],
|
|
"References": [
|
|
{
|
|
"RefID": "ALT-PU-2016-1527",
|
|
"RefURL": "https://errata.altlinux.org/ALT-PU-2016-1527",
|
|
"Source": "ALTPU"
|
|
},
|
|
{
|
|
"RefID": "CVE-2015-2206",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-2206",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2015-3902",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-3902",
|
|
"Source": "CVE"
|
|
},
|
|
{
|
|
"RefID": "CVE-2015-3903",
|
|
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2015-3903",
|
|
"Source": "CVE"
|
|
}
|
|
],
|
|
"Description": "This update upgrades phpMyAdmin to version 4.6.1-alt1. \nSecurity Fix(es):\n\n * CVE-2015-2206: libraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.\n\n * CVE-2015-3902: Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file.\n\n * CVE-2015-3903: libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.",
|
|
"Advisory": {
|
|
"From": "errata.altlinux.org",
|
|
"Severity": "Low",
|
|
"Rights": "Copyright 2024 BaseALT Ltd.",
|
|
"Issued": {
|
|
"Date": "2016-05-21"
|
|
},
|
|
"Updated": {
|
|
"Date": "2016-05-21"
|
|
},
|
|
"BDUs": null,
|
|
"CVEs": [
|
|
{
|
|
"ID": "CVE-2015-2206",
|
|
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
|
|
"CWE": "CWE-200",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-2206",
|
|
"Impact": "Low",
|
|
"Public": "20150309"
|
|
},
|
|
{
|
|
"ID": "CVE-2015-3902",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
|
|
"CWE": "CWE-352",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-3902",
|
|
"Impact": "Low",
|
|
"Public": "20150526"
|
|
},
|
|
{
|
|
"ID": "CVE-2015-3903",
|
|
"CVSS": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
|
|
"CWE": "CWE-310",
|
|
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2015-3903",
|
|
"Impact": "Low",
|
|
"Public": "20150526"
|
|
}
|
|
],
|
|
"AffectedCPEs": {
|
|
"CPEs": [
|
|
"cpe:/o:alt:spworkstation:8.4",
|
|
"cpe:/o:alt:spserver:8.4"
|
|
]
|
|
}
|
|
}
|
|
},
|
|
"Criteria": {
|
|
"Operator": "AND",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:3001",
|
|
"Comment": "ALT Linux must be installed"
|
|
}
|
|
],
|
|
"Criterias": [
|
|
{
|
|
"Operator": "OR",
|
|
"Criterions": [
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20161527001",
|
|
"Comment": "phpMyAdmin is earlier than 0:4.6.1-alt1"
|
|
},
|
|
{
|
|
"TestRef": "oval:org.altlinux.errata:tst:20161527002",
|
|
"Comment": "phpMyAdmin-apache2 is earlier than 0:4.6.1-alt1"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
}
|
|
]
|
|
} |