Candidate: CVE-2016-6606
PublicDate: 2016-12-11 02:59:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6606
 http://www.phpmyadmin.net/security/PMASA-2016-29/
Description:
 An issue was discovered in cookie encryption in phpMyAdmin. The decryption
 of the username/password is vulnerable to a padding oracle attack. This can
 allow an attacker who has access to a user's browser cookie file to decrypt
 the username and password. Furthermore, the same initialization vector (IV)
 is used to hash the username and password stored in the phpMyAdmin cookie.
 If a user has the same password as their username, an attacker who examines
 the browser cookie can see that they are the same - but the attacker can
 not directly decode these values from the cookie as it is still hashed. All
 4.6.x versions (prior to 4.6.4), 4.4.x versions (prior to 4.4.15.8), and
 4.0.x versions (prior to 4.0.10.17) are affected.
Ubuntu-Description:
 It was discovered that phpmyadmin incorrectly handled cookie encryption.
 An attacker with access to cookies could possibly use this to determine
 information about user credentials.
Notes:
Bugs:
Priority: high
Discovered-by: Emanuel Bronshtein
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H [8.1 HIGH]

Patches_phpmyadmin:
 upstream: https://github.com/phpmyadmin/phpmyadmin/commit/cd682a6
upstream_phpmyadmin: released (4:4.6.4+dfsg1-1)
precise_phpmyadmin: ignored (reached end-of-life)
precise/esm_phpmyadmin: DNE (precise was needed)
trusty_phpmyadmin: released (4:4.0.10-1ubuntu0.1)
trusty/esm_phpmyadmin: released (4:4.0.10-1ubuntu0.1)

vivid/stable-phone-overlay_phpmyadmin: DNE
vivid/ubuntu-core_phpmyadmin: DNE
xenial_phpmyadmin: released (4:4.5.4.1-2ubuntu2.1)

yakkety_phpmyadmin: not-affected (4:4.6.4+dfsg1-1)
zesty_phpmyadmin: not-affected (4:4.6.4+dfsg1-1)
artful_phpmyadmin: not-affected (4:4.6.4+dfsg1-1)
bionic_phpmyadmin: not-affected (4:4.6.4+dfsg1-1)
devel_phpmyadmin: not-affected (4:4.6.4+dfsg1-1)