Fwd: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)

Matthew Seaman matthew at freebsd.org
Tue Sep 25 14:37:19 UTC 2012


Dear all,

If you install phpMyAdmin from ports, you shouldn't be vulnerable to the
security problem described in PMASA-2012-5:

   Firstly, the ports checks the SHA256 checksum of distributed
   tarballs, which should prevent this sort of tampering.

   Secondly, the distfile the port uses is
       phpMyAdmin-3.5.2.2-all-languages.tar.xz
   not the .zip -- and so far only the .zip is known to have been
   compromised.

However, if you should see distfile checksum warnings when trying to
install phpMyAdmin please do let me know about it, if possible including
which sourceforge mirror you downloaded from and when.  I hope it is
needless to say this, but if the SHA256 checksum doesn't match then
*don't install*.

	Cheers,

	Matthew

-------- Original Message --------
Subject: [Phpmyadmin-users] phpMyAdmin security alert (PMASA-2012-5)
Date: Tue, 25 Sep 2012 09:44:54 -0400
From: Marc Delisle <marc at infomarc.info>
To: phpmyadmin-news at lists.sf.net, phpmyadmin-users at lists.sf.net,
phpmyadmin-devel at lists.sf.net

Hi,
the PMASA-2012-5 security advisory has been published on
http://www.phpmyadmin.net/home_page/security/PMASA-2012-5.php.

In short, a SourceForge.net mirror server was compromised, leading to
the distribution of a doctored phpMyAdmin kit containing a backdoor.

phpMyAdmin-3.5.2.2-all-languages.zip fetched from this mirror server is
known to be affected. To our knowledge only one mirror is affected,
which appears to be taken offline already. All other SourceForge.net
mirrors are unaffected.

phpMyAdmin security team


More information about the freebsd-ports mailing list