blob: ff81eef7630728c7d86716b668ba26863d970ea6 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<define-tag description>LTS security update</define-tag>
<define-tag moreinfo>
<p>Several flaws were discovered in the CSRF authentication code of
phpMyAdmin.</p>
<ul>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2039">CVE-2016-2039</a>
<p>The XSRF/CSRF token is generated with a weak algorithm using
functions that do not return cryptographically secure values.</p></li>
<li><a href="https://security-tracker.debian.org/tracker/CVE-2016-2041">CVE-2016-2041</a>
<p>The comparison of the XSRF/CSRF token parameter with the value saved
in the session is vulnerable to timing attacks. Moreover, the
comparison could be bypassed if the XSRF/CSRF token matches a
particular pattern.</p></li>
</ul>
</define-tag>
# do not modify the following line
#include "$(ENGLISHDIR)/lts/security/2016/dla-406.data"
# $Id$
|
