svn commit: r450906 - head/security/vuxml
Ryan Steinmetz
zi at FreeBSD.org
Fri Sep 29 15:51:12 UTC 2017
Author: zi
Date: Fri Sep 29 15:51:08 2017
New Revision: 450906
URL: https://svnweb.freebsd.org/changeset/ports/450906
Log:
- Condense entries whose description is >5000 characters
Approved by: ports-secteam (with hat)
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Fri Sep 29 15:31:32 2017 (r450905)
+++ head/security/vuxml/vuln.xml Fri Sep 29 15:51:08 2017 (r450906)
@@ -2622,176 +2622,7 @@ Notes:
<body xmlns="http://www.w3.org/1999/xhtml">
<p>The Webkit gtk team reports:</p>
<blockquote cite="https://webkitgtk.org/security/WSA-2017-0006.html">
- <p>CVE-2017-7006: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to David Kohlbrenner of UC San Diego, an anonymous
- researcher.<br/>
- Impact: A malicious website may exfiltrate data cross-origin.
- Description: Processing maliciously crafted web content may
- allow cross-origin data to be exfiltrated by using SVG filters
- to conduct a timing side-channel attack. This issue was addressed by not painting the cross-origin buffer into the frame that gets filtered.</p>
-
- <p>CVE-2017-7011: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to xisigr of Tencent’s Xuanwu Lab (tencent.com).<br/>
- Impact: Visiting a malicious website may lead to address bar
- spoofing. Description: A state management issue was addressed
- with improved frame handling.</p>
-
- <p>CVE-2017-7012: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Apple.<br/>
- Impact: Processing maliciously crafted web content may lead to
- arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7018: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead to
- arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7019: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Zhiyang Zeng of Tencent Security Platform Department.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7020: Versions affected: WebKitGTK+ before 2.16.1.<br/>
- Credit to likemeng of Baidu Security Lab.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7030: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to chenqin of Ant-financial Light-Year Security Lab
- (蚂蚁金服巴斯光年安全实验室).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7034: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to chenqin of Ant-financial Light-Year Security Lab
- (蚂蚁金服巴斯光年安全实验室).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7037: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7038: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Neil Jenkins of FastMail Pty Ltd, Egor Karbutov
- (@ShikariSenpai) of Digital Security and Egor Saltykov
- (@ansjdnakjdnajkd) of Digital Security.<br/>
- Impact: Processing maliciously crafted web content with
- DOMParser may lead to cross site scripting. Description:
- A logic issue existed in the handling of DOMParser. This
- issue was addressed with improved state management.</p>
-
- <p>CVE-2017-7039: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7040: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7041: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7042: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7043: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7046: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7048: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7049: Versions affected: WebKitGTK+ before 2.16.2.<br/>
- Credit to Ivan Fratric of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed through improved memory
- handling.</p>
-
- <p>CVE-2017-7052: Versions affected: WebKitGTK+ before 2.16.4.<br/>
- Credit to cc working with Trend Micro’s Zero Day Initiative.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7055: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to The UK’s National Cyber Security Centre (NCSC).<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7056: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7059: Versions affected: WebKitGTK+ before 2.16.3.<br/>
- Credit to an anonymous researcher.<br/>
- Impact: Processing maliciously crafted web content with
- DOMParser may lead to cross site scripting. Description:
- A logic issue existed in the handling of DOMParser. This
- issue was addressed with improved state management.</p>
-
- <p>CVE-2017-7061: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: Processing maliciously crafted web content may lead
- to arbitrary code execution. Description: Multiple memory
- corruption issues were addressed with improved memory
- handling.</p>
-
- <p>CVE-2017-7064: Versions affected: WebKitGTK+ before 2.16.6.<br/>
- Credit to lokihardt of Google Project Zero.<br/>
- Impact: An application may be able to read restricted
- memory. Description: A memory initialization issue was
- addressed through improved memory handling.</p>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -4674,120 +4505,7 @@ maliciously crafted GET request to the Horde server.</
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<blockquote cite="https://nvd.nist.gov/vuln/search/results?query=ImageMagick">
- <ul>
- <li>CVE-2017-5506: Double free vulnerability in magick/profile.c in
- ImageMagick allows remote attackers to have unspecified impact via
- a crafted file.</li>
- <li>CVE-2017-5507: Memory leak in coders/mpc.c in ImageMagick before
- 6.9.7-4 and 7.x before 7.0.4-4 allows remote attackers to cause a
- denial of service (memory consumption) via vectors involving a
- pixel cache.</li>
- <li>CVE-2017-5508: Heap-based buffer overflow in the
- PushQuantumPixel function in ImageMagick before 6.9.7-3 and 7.x
- before 7.0.4-3 allows remote attackers to cause a denial of
- service (application crash) via a crafted TIFF file.</li>
- <li>CVE-2017-5509: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact via a crafted PSD file, which
- triggers an out-of-bounds write.</li>
- <li>CVE-2017-5510: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact via a crafted PSD file, which
- triggers an out-of-bounds write.</li>
- <li>CVE-2017-5511: coders/psd.c in ImageMagick allows remote
- attackers to have unspecified impact by leveraging an improper
- cast, which triggers a heap-based buffer overflow.</li>
- <li>CVE-2017-6497: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted psd file could lead to a NULL pointer
- dereference (thus, a DoS).</li>
- <li>CVE-2017-6498: An issue was discovered in ImageMagick 6.9.7.
- Incorrect TGA files could trigger assertion failures, thus leading
- to DoS.</li>
- <li>CVE-2017-6499: An issue was discovered in Magick++ in
- ImageMagick 6.9.7. A specially crafted file creating a nested
- exception could lead to a memory leak (thus, a DoS).</li>
- <li>CVE-2017-6500: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted sun file triggers a heap-based
- buffer over-read.</li>
- <li>CVE-2017-6501: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted xcf file could lead to a NULL pointer
- dereference.</li>
- <li>CVE-2017-6502: An issue was discovered in ImageMagick 6.9.7.
- A specially crafted webp file could lead to a file-descriptor
- leak in libmagickcore (thus, a DoS).</li>
- <li>CVE-2017-7275: The ReadPCXImage function in coders/pcx.c in
- ImageMagick 7.0.4.9 allows remote attackers to cause a denial of
- service (attempted large memory allocation and application crash)
- via a crafted file. NOTE: this vulnerability exists because of an
- incomplete fix for CVE-2016-8862 and CVE-2016-8866.</li>
- <li>CVE-2017-7606: coders/rle.c in ImageMagick 7.0.5-4 has an
- "outside the range of representable values of type unsigned char"
- undefined behavior issue, which might allow remote attackers to
- cause a denial of service (application crash) or possibly have
- unspecified other impact via a crafted image.</li>
- <li>CVE-2017-7619: In ImageMagick 7.0.4-9, an infinite loop can
- occur because of a floating-point rounding error in some of the
- color algorithms. This affects ModulateHSL, ModulateHCL,
- ModulateHCLp, ModulateHSB, ModulateHSI, ModulateHSV, ModulateHWB,
- ModulateLCHab, and ModulateLCHuv.</li>
- <li>CVE-2017-7941: The ReadSGIImage function in sgi.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-7942: The ReadAVSImage function in avs.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-7943: The ReadSVGImage function in svg.c allows remote
- attackers to consume an amount of available memory via a crafted
- file.</li>
- <li>CVE-2017-8343: ReadAAIImage function in aai.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8344: ReadPCXImage function in pcx.c allows attackers
- to cause a denial of service (memory leak) via a crafted file. The
- ReadMNGImage function in png.c allows attackers to cause a denial
- of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8345: ReadMNGImage function in png.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8346: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8347: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file. </li>
- <li>CVE-2017-8348: ReadMATImage function in mat.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8349: ReadSFWImage function in sfw.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8350: ReadJNGImage function in png.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8351: ReadPCDImage function in pcd.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8352: ReadXWDImage function in xwd.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8353: ReadPICTImage function in pict.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8354: ReadBMPImage function in bmp.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8355: ReadMTVImage function in mtv.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8356: ReadSUNImage function in sun.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8357: ReadEPTImage function in ept.c allows attackers
- to cause a denial of service (memory leak) via a crafted file.</li>
- <li>CVE-2017-8765: The function named ReadICONImage in coders\icon.c
- has a memory leak vulnerability which can cause memory exhaustion
- via a crafted ICON file.</li>
- <li>CVE-2017-8830: ReadBMPImage function in bmp.c:1379 allows
- attackers to cause a denial of service (memory leak) via a crafted
- file.</li>
- <li>CVE-2017-9141: A crafted file could trigger an assertion failure
- in the ResetImageProfileIterator function in MagickCore/profile.c
- because of missing checks in the ReadDDSImage function in
- coders/dds.c.</li>
- <li>CVE-2017-9142: A crafted file could trigger an assertion failure
- in the WriteBlob function in MagickCore/blob.c because of missing
- checks in the ReadOneJNGImage function in coders/png.c.</li>
- <li>CVE-2017-9143: ReadARTImage function in coders/art.c allows
- attackers to cause a denial of service (memory leak) via a crafted
- .art file.</li>
- <li>CVE-2017-9144: A crafted RLE image can trigger a crash because
- of incorrect EOF handling in coders/rle.c.</li>
- </ul>
+ <p>Please reference CVE/URL list for details</p>
</blockquote>
</body>
</description>
@@ -12689,200 +12407,7 @@ maliciously crafted GET request to the Horde server.</
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The phpMyAdmin development team reports:</p>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-57/">
- <h3>Summary</h3>
- <p>Open redirection</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can be
- tricked in to following a link leading to phpMyAdmin,
- which after authentication redirects to another
- malicious site.</p>
- <p>The attacker must sniff the user's valid phpMyAdmin
- token.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-58/">
- <h3>Summary</h3>
- <p>Unsafe generation of blowfish secret</p>
- <h3>Description</h3>
- <p>When the user does not specify a blowfish_secret key
- for encrypting cookies, phpMyAdmin generates one at
- runtime. A vulnerability was reported where the way this
- value is created using a weak algorithm.</p>
- <p>This could allow an attacker to determine the user's
- blowfish_secret and potentially decrypt their
- cookies.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only affects cookie
- authentication and only when a user has not
- defined a $cfg['blowfish_secret'] in
- their config.inc.php</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-59/">
- <h3>Summary</h3>
- <p>phpinfo information leak value of sensitive
- (HttpOnly) cookies</p>
- <h3>Description</h3>
- <p>phpinfo (phpinfo.php) shows PHP information
- including values of HttpOnly cookies.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
- <h3>Mitigation factor</h3>
- <p>phpinfo in disabled by default and needs
- to be enabled explicitly.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-60/">
- <h3>Summary</h3>
- <p>Username deny rules bypass (AllowRoot & Others)
- by using Null Byte</p>
- <h3>Description</h3>
- <p>It is possible to bypass AllowRoot restriction
- ($cfg['Servers'][$i]['AllowRoot']) and deny rules
- for username by using Null Byte in the username.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-61/">
- <h3>Summary</h3>
- <p>Username rule matching issues</p>
- <h3>Description</h3>
- <p>A vulnerability in username matching for the
- allow/deny rules may result in wrong matches and
- detection of the username in the rule due to
- non-constant execution time.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-62/">
- <h3>Summary</h3>
- <p>Bypass logout timeout</p>
- <h3>Description</h3>
- <p>With a crafted request parameter value it is possible
- to bypass the logout timeout.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-63/">
- <h3>Summary</h3>
- <p>Multiple full path disclosure vulnerabilities</p>
- <h3>Description</h3>
- <p>By calling some scripts that are part of phpMyAdmin in an
- unexpected way, it is possible to trigger phpMyAdmin to
- display a PHP error message which contains the full path of
- the directory where phpMyAdmin is installed. During an
- execution timeout in the export functionality, the errors
- containing the full path of the directory of phpMyAdmin is
- written to the export file.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerability to be
- non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-64/">
- <h3>Summary</h3>
- <p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Several XSS vulnerabilities have been reported, including
- an improper fix for <a href="https://www.phpmyadmin.net/security/PMASA-2016-10/">PMASA-2016-10</a> and a weakness in a regular expression
- using in some JavaScript processing.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-65/">
- <h3>Summary</h3>
- <p>Multiple DOS vulnerabilities</p>
- <h3>Description</h3>
- <p>With a crafted request parameter value it is possible
- to initiate a denial of service attack in saved searches
- feature.</p>
- <p>With a crafted request parameter value it is possible
- to initiate a denial of service attack in import
- feature.</p>
- <p>An unauthenticated user can execute a denial of
- service attack when phpMyAdmin is running with
- <code>$cfg['AllowArbitraryServer']=true;</code>.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-66/">
- <h3>Summary</h3>
- <p>Bypass white-list protection for URL redirection</p>
- <h3>Description</h3>
- <p>Due to the limitation in URL matching, it was
- possible to bypass the URL white-list protection.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-67/">
- <h3>Summary</h3>
- <p>BBCode injection vulnerability</p>
- <h3>Description</h3>
- <p>With a crafted login request it is possible to inject
- BBCode in the login page.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- <h3>Mitigation factor</h3>
- <p>This exploit requires phpMyAdmin to be configured
- with the "cookie" auth_type; other
- authentication methods are not affected.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-68/">
- <h3>Summary</h3>
- <p>DOS vulnerability in table partitioning</p>
- <h3>Description</h3>
- <p>With a very large request to table partitioning
- function, it is possible to invoke a Denial of Service
- (DOS) attack.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be of moderate
- severity.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-69/">
- <h3>Summary</h3>
- <p>Multiple SQL injection vulnerabilities</p>
- <h3>Description</h3>
- <p>With a crafted username or a table name, it was possible
- to inject SQL statements in the tracking functionality that
- would run with the privileges of the control user. This
- gives read and write access to the tables of the
- configuration storage database, and if the control user has
- the necessary privileges, read access to some tables of the
- mysql database.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be serious.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-70/">
- <h3>Summary</h3>
- <p>Incorrect serialized string parsing</p>
- <h3>Description</h3>
- <p>Due to a bug in serialized string parsing, it was
- possible to bypass the protection offered by
- PMA_safeUnserialize() function.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be severe.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-71/">
- <h3>Summary</h3>
- <p>CSRF token not stripped from the URL</p>
- <h3>Description</h3>
- <p>When the <code>arg_separator</code> is different from its
- default value of <code>&</code>, the token was not
- properly stripped from the return URL of the preference
- import action.</p>
- <h3>Severity</h3>
- <p>We have not yet determined a severity for this issue.</p>
- </blockquote>
+ <p>Please reference CVE/URL list for details</p>
</body>
</description>
<references>
@@ -16400,409 +15925,115 @@ and CVE-2013-0155.</p>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-29/">
<h3>Summary</h3>
<p>Weakness with cookie encryption</p>
- <h3>Description</h3>
- <p>A pair of vulnerabilities were found affecting the
- way cookies are stored.</p>
- <ul>
- <li>The decryption of the username/password is
- vulnerable to a padding oracle attack. The can allow
- an attacker who has access to a user's browser cookie
- file to decrypt the username and password.</li>
- <li>A vulnerability was found where the same
- initialization vector (IV) is used to hash the
- username and password stored in the phpMyAdmin
- cookie. If a user has the same password as their
- username, an attacker who examines the browser cookie
- can see that they are the but the attacker can not
- directly decode these values from the cookie as it is
- still hashed.</li>
- </ul>
- <h3>Severity</h3>
- <p>We consider this to be critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-30/">
<h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Multiple vulnerabilities have been discovered in the
- following areas of phpMyAdmin:</p>
- <ul>
- <li>Zoom search: Specially crafted column content can
- be used to trigger an XSS attack</li>
- <li>GIS editor: Certain fields in the graphical GIS
- editor at not properly escaped and can be used to
- trigger an XSS attack</li>
- <li>Relation view</li>
- <li>The following Transformations:
- <ul>
- <li>Formatted</li>
- <li>Imagelink</li>
- <li>JPEG: Upload</li>
- <li>RegexValidation</li>
- <li>JPEG inline</li>
- <li>PNG inline</li>
- <li>transformation wrapper</li>
- </ul>
- </li>
- <li>XML export</li>
- <li>MediaWiki export</li>
- <li>Designer</li>
- <li>When the MySQL server is running with a
- specially-crafted <code>log_bin</code> directive</li>
- <li>Database tab</li>
- <li>Replication feature</li>
- <li>Database search</li>
- </ul>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-31/">
<h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>XSS vulnerabilities were discovered in:</p>
- <ul>
- <li>The database privilege check</li>
- <li>The "Remove partitioning" functionality</li>
- </ul>
- <p>Specially crafted database names can trigger the XSS
- attack.</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of moderate
- severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-32/">
<h3>Summary</h3>
<p>PHP code injection</p>
- <h3>Description</h3>
- <p>A vulnerability was found where a specially crafted
- database name could be used to run arbitrary PHP
- commands through the array export feature</p>
- <h3>Severity</h3>
- <p>We consider these vulnerabilities to be of
- moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-33/">
<h3>Summary</h3>
<p>Full path disclosure</p>
- <h3>Description</h3>
- <p>A full path disclosure vulnerability was discovered
- where a user can trigger a particular error in the
- export mechanism to discover the full path of phpMyAdmin
- on the disk.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be
- non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-34/">
<h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where a specially
- crafted database and/or table name can be used to
- trigger an SQL injection attack through the export
- functionality.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-35/">
<h3>Summary</h3>
<p>Local file exposure</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can
- exploit the LOAD LOCAL INFILE functionality to expose
- files on the server to the database system.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-36/">
<h3>Summary</h3>
<p>Local file exposure through symlinks with
UploadDir</p>
- <h3>Description</h3>
- <p>A vulnerability was found where a user can
- specially craft a symlink on disk, to a file which
- phpMyAdmin is permitted to read but the user is not,
- which phpMyAdmin will then expose to the user.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious,
- however due to the mitigation factors the
- default state is not vulnerable.</p>
- <h3>Mitigation factor</h3>
- <p>1) The installation must be run with UploadDir configured
- (not the default) 2) The user must be able to create a
- symlink in the UploadDir 3) The user running the phpMyAdmin
- application must be able to read the file</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-37/">
<h3>Summary</h3>
<p>Path traversal with SaveDir and UploadDir</p>
- <h3>Description</h3>
- <p>A vulnerability was reported with the <code>%u</code>
- username replacement functionality of the SaveDir and
- UploadDir features. When the username substitution is
- configured, a specially-crafted user name can be used to
- circumvent restrictions to traverse the file system.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious,
- however due to the mitigation factors the default
- state is not vulnerable.</p>
- <h3>Mitigation factor</h3>
- <p>1) A system must be configured with the %u username
- replacement, such as `$cfg['SaveDir'] =
- 'SaveDir_%u';` 2) The user must be able to create a
- specially-crafted MySQL user, including the `/.` sequence of
- characters, such as `/../../`</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-38/">
<h3>Summary</h3>
<p>Multiple XSS vulnerabilities</p>
- <h3>Description</h3>
- <p>Multiple XSS vulnerabilities were found in the following
- areas:</p>
- <ul>
- <li>Navigation pane and database/table hiding
- feature. A specially-crafted database name can be used
- to trigger an XSS attack.</li>
- <li>The "Tracking" feature. A specially-crafted query
- can be used to trigger an XSS attack.</li>
- <li>GIS visualization feature. </li>
- </ul>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-39/">
<h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered in the following
- features where a user can execute an SQL injection
- attack against the account of the control user:
- <em>User group</em> Designer</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
- <h3>Mitigation factor</h3>
- <p>The server must have a control user account created in
- MySQL and configured in phpMyAdmin; installations without a
- control user are not vulnerable.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-40/">
<h3>Summary</h3>
<p>SQL injection attack</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where a specially
- crafted database and/or table name can be used to
- trigger an SQL injection attack through the export
- functionality.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-41/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack in transformation
feature</p>
- <h3>Description</h3>
- <p>A vulnerability was found in the transformation feature
- allowing a user to trigger a denial-of-service (DOS) attack
- against the server.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-42/">
<h3>Summary</h3>
<p>SQL injection attack as control user</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered in the user interface
- preference feature where a user can execute an SQL injection
- attack against the account of the control user.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
- <h3>Mitigation factor</h3>
- <p>The server must have a control user account created in
- MySQL and configured in phpMyAdmin; installations without a
- control user are not vulnerable.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-43/">
<h3>Summary</h3>
<p>Unvalidated data passed to unserialize()</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where some data is passed to
- the PHP <code>unserialize()</code> function without
- verification that it's valid serialized data.</p>
- <p>Due to how the <a href="https://secure.php.net/unserialize">PHP function</a>
- operates,</p>
- <blockquote>
- <p>Unserialization can result in code being loaded and
- executed due to object instantiation and autoloading, and
- a malicious user may be able to exploit this.</p>
- </blockquote>
- <p>Therefore, a malicious user may be able to manipulate the
- stored data in a way to exploit this weakness.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be moderately
- severe.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-45/">
<h3>Summary</h3>
<p>DOS attack with forced persistent connections</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an unauthenticated
- user is able to execute a denial-of-service (DOS) attack by
- forcing persistent connections when phpMyAdmin is running
- with <code>$cfg['AllowArbitraryServer']=true;</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical, although
- note that phpMyAdmin is not vulnerable by default.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-46/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack by for loops</p>
- <h3>Description</h3>
- <p>A vulnerability has been reported where a malicious
- authorized user can cause a denial-of-service (DOS) attack
- on a server by passing large values to a loop.</p>
- <h3>Severity</h3>
- <p>We consider this issue to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-47/">
<h3>Summary</h3>
<p>IPv6 and proxy server IP-based authentication rule
circumvention</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where, under certain
- circumstances, it may be possible to circumvent the
- phpMyAdmin IP-based authentication rules.</p>
- <p>When phpMyAdmin is used with IPv6 in a proxy server
- environment, and the proxy server is in the allowed range
- but the attacking computer is not allowed, this
- vulnerability can allow the attacking computer to connect
- despite the IP rules.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
- <h3>Mitigation factor</h3>
- <p>* The phpMyAdmin installation must be running with
- IP-based allow/deny rules * The phpMyAdmin installation must
- be running behind a proxy server (or proxy servers) where
- the proxy server is "allowed" and the attacker is
- "denied" * The connection between the proxy server
- and phpMyAdmin must be via IPv6</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-48/">
<h3>Summary</h3>
<p>Detect if user is logged in</p>
- <h3>Description</h3>
- <p>A vulnerability was reported where an attacker can
- determine whether a user is logged in to phpMyAdmin.</p>
- <p>The user's session, username, and password are not
- compromised by this vulnerability.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-49/">
<h3>Summary</h3>
<p>Bypass URL redirect protection</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker could
- redirect a user to a malicious web page.</p>
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-50/">
<h3>Summary</h3>
<p>Referrer leak in url.php</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker can
- determine the phpMyAdmin host location through the file
- <code>url.php</code>.</p>
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-51/">
<h3>Summary</h3>
<p>Reflected File Download attack</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where an attacker may be
- able to trigger a user to download a specially crafted
- malicious SVG file.</p>
- <h3>Severity</h3>
- <p>We consider this issue to be of moderate severity.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-52/">
<h3>Summary</h3>
<p>ArbitraryServerRegexp bypass</p>
- <h3>Description</h3>
- <p>A vulnerability was reported with the
- <code>$cfg['ArbitraryServerRegexp']</code> configuration
- directive. An attacker could reuse certain cookie values in
- a way of bypassing the servers defined by
- <code>ArbitraryServerRegexp</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>Only servers using
- `$cfg['ArbitraryServerRegexp']` are vulnerable to
- this attack.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-53/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack by changing password to a
very long string</p>
- <h3>Description</h3>
- <p>An authenticated user can trigger a denial-of-service
- (DOS) attack by entering a very long password at the change
- password dialog.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-54/">
<h3>Summary</h3>
<p>Remote code execution vulnerability when run as CGI</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where a user can execute a
- remote code execution attack against a server when
- phpMyAdmin is being run as a CGI application. Under certain
- server configurations, a user can pass a query string which
- is executed as a command-line argument by the file
- <code>generator_plugin.sh</code>.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>The file
- `/libraries/plugins/transformations/generator_plugin.sh` may
- be removed. Under certain server configurations, it may be
- sufficient to remove execute permissions for this file.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-55/">
<h3>Summary</h3>
<p>Denial of service (DOS) attack with dbase extension</p>
- <h3>Description</h3>
- <p>A flaw was discovered where, under certain conditions,
- phpMyAdmin may not delete temporary files during the import
- of ESRI files.</p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be non-critical.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only exists when PHP is running with
- the dbase extension, which is not shipped by default, not
- available in most Linux distributions, and doesn't
- compile with PHP7.</p>
</blockquote>
<blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-56/">
<h3>Summary</h3>
<p>Remote code execution vulnerability when PHP is running
with dbase extension</p>
- <h3>Description</h3>
- <p>A vulnerability was discovered where phpMyAdmin can be
- used to trigger a remote code execution attack against
- certain PHP installations. </p>
- <h3>Severity</h3>
- <p>We consider this vulnerability to be critical.</p>
- <h3>Mitigation factor</h3>
- <p>This vulnerability only exists when PHP is running with
- the dbase extension, which is not shipped by default, not
- available in most Linux distributions, and doesn't
- compile with PHP7.</p>
</blockquote>
</body>
</description>
@@ -20782,199 +20013,7 @@ and CVE-2013-0155.</p>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
- <p>The phpMyAdmin development team reports:</p>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-17/">
- <h3>Summary</h3>
- <p>BBCode injection vulnerability</p>
-
- <h3>Description</h3>
- <p>A vulnerability was discovered that allows an BBCode
- injection to setup script in case it's not accessed on
- https.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-18/">
- <h3>Summary</h3>
- <p>Cookie attribute injection attack</p>
-
- <h3>Description</h3>
- <p>A vulnerability was found where, under some
- circumstances, an attacker can inject arbitrary values
- in the browser cookies.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be non-critical.</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-19/">
- <h3>Summary</h3>
- <p>SQL injection attack</p>
-
- <h3>Description</h3>
- <p>A vulnerability was discovered that allows an SQL
- injection attack to run arbitrary commands as the
- control user.</p>
-
- <h3>Severity</h3>
- <p>We consider this vulnerability to be serious</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-20/">
- <h3>Summary</h3>
- <p>XSS on table structure page</p>
-
- <h3>Description</h3>
- <p>An XSS vulnerability was discovered on the table
- structure page</p>
-
- <h3>Severity</h3>
- <p>We consider this to be a serious
- vulnerability</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-21/">
- <h3>Summary</h3>
- <p>Multiple XSS vulnerabilities</p>
-
- <h3>Description</h3>
- <ul>
- <li>An XSS vulnerability was discovered on the user
- privileges page.</li>
- <li>An XSS vulnerability was discovered in the error
- console.</li>
- <li>An XSS vulnerability was discovered in the central
- columns feature.</li>
- <li>An XSS vulnerability was discovered in the query
- bookmarks feature.</li>
- <li>An XSS vulnerability was discovered in the user groups
- feature.</li>
- </ul>
-
- <h3>Severity</h3>
- <p>We consider this to be a serious vulnerability</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-22/">
- <h3>Summary</h3>
- <p>DOS attack</p>
-
- <h3>Description</h3>
- <p>A Denial Of Service (DOS) attack was discovered in
- the way phpMyAdmin loads some JavaScript files.</p>
-
- <h3>Severity</h3>
- <p>We consider this to be of moderate severity</p>
- </blockquote>
- <blockquote cite="https://www.phpmyadmin.net/security/PMASA-2016-23/">
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
More information about the svn-ports-all
mailing list