Bug 528769 - (CVE-2009-3696, CVE-2009-3697) CVE-2009-3696 CVE-2009-3697 phpMyAdmin: XSS and SQL injection (PMASA-2009-6)
CVE-2009-3696 CVE-2009-3697 phpMyAdmin: XSS and SQL injection (PMASA-2009-6)
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
http://www.phpmyadmin.net/home_page/n...
cwe=(CWE-79|CWE-89)
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-10-13 12:13 EDT by Jan Lieskovsky
Modified: 2016-01-26 07:54 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-04 02:42:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Comment 1 Robert Scheck 2009-10-13 12:17:49 EDT
Already known to me, will submit updates this evening (next few hours).
Comment 2 Robert Scheck 2009-10-13 18:02:03 EDT
Package: phpMyAdmin-2.11.9.6-1.el4 Tag: dist-4E-epel-testing-candidate Status: complete Built by: robert
Package: phpMyAdmin-2.11.9.6-1.el5 Tag: dist-5E-epel-testing-candidate Status: complete Built by: robert

Package: phpMyAdmin-3.2.2.1-1.fc10 Tag: dist-f10-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.2.2.1-1.fc11 Tag: dist-f11-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.2.2.1-1.fc12 Tag: dist-f12-updates-candidate Status: complete Built by: robert
Package: phpMyAdmin-3.2.2.1-1.fc13 Tag: dist-f13 Status: complete Built by: robert
Comment 3 Fedora Update System 2009-10-13 18:02:28 EDT
phpMyAdmin-2.11.9.6-1.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-1.el4
Comment 4 Fedora Update System 2009-10-13 18:02:32 EDT
phpMyAdmin-2.11.9.6-1.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-1.el5
Comment 5 Fedora Update System 2009-10-13 18:03:47 EDT
phpMyAdmin-3.2.2.1-1.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.2.1-1.fc10
Comment 6 Fedora Update System 2009-10-13 18:04:11 EDT
phpMyAdmin-3.2.2.1-1.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.2.1-1.fc11
Comment 7 Robert Scheck 2009-10-13 18:08:56 EDT
Fedora 12 is waiting for tagging, https://fedorahosted.org/rel-eng/ticket/2470
Comment 8 Jan Lieskovsky 2009-10-15 03:47:30 EDT
Quoting upstream PMASA-2009-6 advisory for CVE description:

CVE-2009-3696 Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.

CVE-2000-3697 SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.
Comment 9 Fedora Update System 2009-10-15 18:33:14 EDT
phpMyAdmin-3.2.2.1-1.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-10-15 18:38:22 EDT
phpMyAdmin-3.2.2.1-1.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2009-10-16 15:32:31 EDT
phpMyAdmin-2.11.9.6-1.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2009-10-16 15:34:42 EDT
phpMyAdmin-2.11.9.6-1.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Robert Scheck 2010-01-03 19:09:40 EST
Can't we close this bug report?
Comment 14 Tomas Hoger 2010-01-04 02:42:24 EST
Yes, feel free to close any phpMyAdmin-related Security Response bugs when all affected Fedora and EPEL versions are fixed.  It's currently not part of any Red Hat product.  Thank you!

Note You need to log in before you can comment on or make changes to this bug.