Hi LTS team I have done some analysis of the issues for phpmyadmin.
It would be good to know what your opinion about XSS issues for admin software like phpmyadmin is. I do not see how that can be very important. I mean you know the URL and do not really use external links for accessing it. Or do anyone have another opinion? I'll happily mark them as no DSA instead of backporting the fixes. What do you think? If I do not hear any objections I'll do so in a few days. CVE-2016-5701 The mitigation is to always use https for access. I guess this should be the normal case. This is a problem only during setup as far as I can tell. I do not think we should spend time on this one. I'll mark it as no DSA. Objections? If anyone objects the backport should be fairly simple. CVE-2016-5702 A properly configured server which sets PHP_SELF is not affected. Thus I'll mark this as no DSA. Objections? CVE-2016-5703 This one looks like a real problem. Will look into backport of that one. CVE-2016-5704 and CVE-2016-5705 XSS issue. Backporting looks easy. CVE-2016-5706 A potential DOS attach should be fixed. I'll look into backporting this. CVE-2016-5730 Non critical. I'll mark as no DSA unless anyone objects. CVE-2016-5731, CVE-2016-5732, CVE-2016-5733 XSS again. Backporting looks rather easy. I do not really see the urgency of fixing though. CVE-2016-5734 Possible real problem. I'll look into backporting this. CVE-2016-5739 Possible real problem. Backporting looks easy. Cheers // Ola -- --------------------- Ola Lundqvist --------------------------- / o...@debian.org Folkebogatan 26 \ | o...@inguza.com 654 68 KARLSTAD | | http://inguza.com/ +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------
