Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Matthew Seaman
matthew at freebsd.org
Tue Sep 25 14:37:19 UTC 2012
Dear all,
If you install phpMyAdmin from ports, you shouldn't be vulnerable to the
security problem described in PMASA-2012-5:
Firstly, the ports checks the SHA256 checksum of distributed
tarballs, which should prevent this sort of tampering.
Secondly, the distfile the port uses is
phpMyAdmin-3.5.2.2-all-languages.tar.xz
not the .zip -- and so far only the .zip is known to have been
compromised.
However, if you should see distfile checksum warnings when trying to
install phpMyAdmin please do let me know about it, if possible including
which sourceforge mirror you downloaded from and when. I hope it is
needless to say this, but if the SHA256 checksum doesn't match then
*don't install*.
Cheers,
Matthew
-------- Original Message --------
Subject: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Date: Tue, 25 Sep 2012 09:44:54 -0400
From: Marc Delisle <marc at infomarc.info>
To: phpmyadmin-news at lists.sf.net, phpmyadmin-users at lists.sf.net,
phpmyadmin-devel at lists.sf.net
Hi,
the PMASA-2012-5 security advisory has been published on
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php.
In short, a SourceForge.net mirror server was compromised, leading to
the distribution of a doctored phpMyAdmin kit containing a backdoor.
phpMyAdmin-3.5.2.2-all-languages.zip fetched from this mirror server is
known to be affected. To our knowledge only one mirror is affected,
which appears to be taken offline already. All other SourceForge.net
mirrors are unaffected.
phpMyAdmin security team
More information about the freebsd-ports
mailing list