{"id":"MGASA-2016-0051","summary":"Updated phpmyadmin/phpseclib packages fix security vulnerability","details":"Password suggestion functionality uses Math.random() which does not\nprovide cryptographically secure random numbers (CVE-2016-1927).\n\nBy calling some scripts that are part of phpMyAdmin in an unexpected way,\nit is possible to trigger phpMyAdmin to display a PHP error message which\ncontains the full path of the directory where phpMyAdmin is installed\n(CVE-2016-2038).\n\nThe XSRF/CSRF token is generated with a weak algorithm using functions\nthat do not return cryptographically secure values (CVE-2016-2039).\n\nWith a crafted table name it is possible to trigger an XSS attack in the\ndatabase search page. With a crafted SET value or a crafted search query,\nit is possible to trigger an XSS attacks in the zoom search page. With a\ncrafted hostname header, it is possible to trigger an XSS attacks in the\nhome page (CVE-2016-2040).\n\nThe comparison of the XSRF/CSRF token parameter with the value saved in\nthe session is vulnerable to timing attacks. Moreover, the comparison\ncould be bypassed if the XSRF/CSRF token matches a particular pattern\n(CVE-2016-2041).\n\nThe phpmyadmin package has been updated to version 4.4.15.4 in the 4.4.x\nstable branch, and the phpseclib dependency has been updated to version\n2.0.1.\n","modified":"2026-04-16T01:47:27.419194100Z","published":"2016-02-05T17:26:09Z","upstream":["CVE-2016-1927","CVE-2016-2038","CVE-2016-2039","CVE-2016-2040","CVE-2016-2041"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0051.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=17633"},{"type":"WEB","url":"https://www.phpmyadmin.net/security/PMASA-2016-1/"},{"type":"WEB","url":"https://www.phpmyadmin.net/security/PMASA-2016-2/"},{"type":"WEB","url":"https://www.phpmyadmin.net/security/PMASA-2016-3/"},{"type":"WEB","url":"https://www.phpmyadmin.net/security/PMASA-2016-4/"},{"type":"WEB","url":"https://www.phpmyadmin.net/security/PMASA-2016-5/"},{"type":"WEB","url":"https://www.phpmyadmin.net/files/4.4.15.3/"},{"type":"WEB","url":"https://www.phpmyadmin.net/news/2016/1/28/phpmyadmin-454-44153-and-401013-are-released/"},{"type":"WEB","url":"https://www.phpmyadmin.net/news/2016/1/29/phpmyadmin-401014-44154-and-451/"},{"type":"WEB","url":"http://lwn.net/Vulnerabilities/674259/"}],"affected":[{"package":{"name":"phpmyadmin","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/phpmyadmin?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.4.15.4-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0051.json"}},{"package":{"name":"phpseclib","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/phpseclib?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.1-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0051.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}