Your message dated Sun, 22 Jan 2012 17:17:09 +0000
with message-id <e1rp12t-0006xf...@franck.debian.org>
and subject line Bug#656247: fixed in phpmyadmin 4:3.3.7-7
has caused the Debian Bug report #656247,
regarding phpmyadmin: Local File Inclusion via XXE-injection (CVE-2011-4107)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
656247: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=656247
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: phpmyadmin
Version: 4:3.3.7-6
Severity: normal
Vulnerability in phpmyadmin in squeeze has been exploited wildly in public.
Spion from #debian-security asked this to be handled quickly.
Tracker: http://security-tracker.debian.org/tracker/CVE-2011-4107
Exploit: http://www.exploit-db.com/exploits/18371/
OSVDB: http://osvdb.org/show/osvdb/76798
Please note that I have not validated this vulnerability and there is something
strange going on as OSVDB has subject: "libraries/import/xml.php XML Data
Entity References Parsing Remote Information Disclosure" and exploit-db is
talking about LFI. Probably both are true. Contact me in case you need any help
solving this issue. I can test and try to patch for example if needed. From
MITRE's CVE-list:
======================================================
Name: CVE-2011-4107
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107
Phase: Assigned (20111018)
Category:
Reference: FULLDISC:20111102 PhpMyAdmin Arbitrary File Reading
Reference: URL:http://seclists.org/fulldisclosure/2011/Nov/21
Reference:
MISC:http://packetstormsecurity.org/files/view/106511/phpmyadmin-fileread.txt
Reference: MISC:http://www.wooyun.org/bugs/wooyun-2010-03185
Reference: MISC:https://bugzilla.redhat.com/show_bug.cgi?id=751112
Reference:
CONFIRM:http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php
Reference: FEDORA:FEDORA-2011-15831
Reference:
URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069649.html
Reference: FEDORA:FEDORA-2011-15841
Reference:
URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069625.html
Reference: FEDORA:FEDORA-2011-15846
Reference:
URL:http://lists.fedoraproject.org/pipermail/package-announce/2011-November/069635.html
Reference: BID:50497
Reference: URL:http://www.securityfocus.com/bid/50497
Reference: OSVDB:76798
Reference: URL:http://osvdb.org/76798
Reference: SECUNIA:46447
Reference: URL:http://secunia.com/advisories/46447
Reference: XF:phpmyadmin-xml-info-disclosure(71108)
Reference: URL:http://xforce.iss.net/xforce/xfdb/71108
The simplexml_load_string function in the XML import plug-in
(libraries/import/xml.php) in phpMyAdmin 3.4.x before 3.4.7.1 and
3.3.x before 3.3.10.5 allows remote authenticated users to read
arbitrary files via XML data containing external entity references,
aka an XML external entity (XXE) injection attack.
Current Votes:
None (candidate not yet proposed)
======================================================
-- System Information:
Debian Release: 6.0.3
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages phpmyadmin depends on:
ii dbconfig-common 1.8.46+squeeze.0 common framework for packaging dat
ii debconf [debconf-2.0] 1.5.36.1 Debian configuration management sy
ii libapache2-mod-php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii libjs-mootools 1.2.4.0~debian1-1 compact JavaScript framework
ii perl 5.10.1-17squeeze2 Larry Wall's Practical Extraction
ii php5 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-cgi 5.3.3-7+squeeze3 server-side, HTML-embedded scripti
ii php5-mcrypt 5.3.3-7+squeeze3 MCrypt module for php5
ii php5-mysql 5.3.3-7+squeeze3 MySQL module for php5
ii ucf 3.0025+nmu1 Update Configuration File: preserv
Versions of packages phpmyadmin recommends:
ii apache2 2.2.16-6+squeeze4 Apache HTTP Server metapackage
ii apache2-mpm-prefork [h 2.2.16-6+squeeze4 Apache HTTP Server - traditional n
ii mysql-client 5.1.49-3 MySQL database client (metapackage
ii mysql-client-5.1 [mysq 5.1.49-3 MySQL database client binaries
ii php5-gd 5.3.3-7+squeeze3 GD module for php5
Versions of packages phpmyadmin suggests:
pn mysql-server <none> (no description available)
-- debconf information excluded
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:3.3.7-7
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_3.3.7-7.debian.tar.gz
to main/p/phpmyadmin/phpmyadmin_3.3.7-7.debian.tar.gz
phpmyadmin_3.3.7-7.dsc
to main/p/phpmyadmin/phpmyadmin_3.3.7-7.dsc
phpmyadmin_3.3.7-7_all.deb
to main/p/phpmyadmin/phpmyadmin_3.3.7-7_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 656...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Jan 2012 13:34:08 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.3.7-7
Distribution: stable-security
Urgency: low
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
phpmyadmin - MySQL web administration tool
Closes: 656247
Changes:
phpmyadmin (4:3.3.7-7) stable-security; urgency=low
.
* Upload to stable for security issues.
* CVE-2011-4107: XML external entity (XXE) injection attack
(closes: 656247).
* CVE-2011-1940, CVE-2011-3181: XSS in tracking feature.
.
* Properly apply fix for minor issues
CVE-2011-2642, CVE-2011-2719.
Checksums-Sha1:
88c764e6c6a8b04afd9091a0629c581138ee383e 1517 phpmyadmin_3.3.7-7.dsc
cc1fabbe339386cbb50e94ac8247853356d3cd36 54285 phpmyadmin_3.3.7-7.debian.tar.gz
13cdb5c981f912deb0013108ba2cc90b3fc5e518 4350820 phpmyadmin_3.3.7-7_all.deb
Checksums-Sha256:
fbcccd0bc28e5d9187e816b2d2fa1549b5d2a66a3fcb405f19ef9bbc9dc8be48 1517
phpmyadmin_3.3.7-7.dsc
7e1b3a94cdcb7e7cbaab95315b1a4f24f17565fcca74039746700d625768e724 54285
phpmyadmin_3.3.7-7.debian.tar.gz
302f5622f57b992a202489ac24474dba422dd0915402fac2e7b93786f2f4512d 4350820
phpmyadmin_3.3.7-7_all.deb
Files:
69508e5d49591e02ed84d85e5b33e489 1517 web extra phpmyadmin_3.3.7-7.dsc
aab1facb7434dd4cec08e0926b11bf84 54285 web extra
phpmyadmin_3.3.7-7.debian.tar.gz
1ce755ea697d1dcf2ce8e0c39af2e204 4350820 web extra phpmyadmin_3.3.7-7_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJPHAS5AAoJEOxfUAG2iX57hX4IAJpr3aGdwtvVgCQ9Cu6YAqso
YPXzNm1Ap+PDPkD4+31R3W95ZZ0Uc8GTpggwMyC+7k26it9VAzhXM8pI+423jJai
KolLNiGZ+XkKvNsHqDZfkbijmXg0lJcSciIDd1bNbRbZmyFD3UPmRSUADX+RFbKW
BBIYnLlxiIQnN7HnP0EeOo/F932dqnMnfjcz8EkySV10dOvXLLZ3qDXapRK0pVvN
QjbBMOhiP/7mi01UqRvwP5CKdZbLxS4OkrmXEfKGVH3EOUIH3iMCXnfDCuz1Nj+n
v5VINr+bJzHrsD5IxSTG+CnceQX1Jr3gosH77txZraf2jgoipA78Vwr+mSpU4ak=
=7ZC9
-----END PGP SIGNATURE-----
--- End Message ---
