| Summary: | phpmyadmin new security issue CVE-2014-1879 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | ennael1, napcok, oe, rverschelde, sysadmin-bugs, tmb |
| Version: | 4 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/587543/ | ||
| Whiteboard: | MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok advisory | ||
| Source RPM: | phpmyadmin | CVE: | |
| Status comment: | |||
|
Description
David Walser
2014-02-21 02:00:06 CET
David Walser
2014-02-21 02:00:20 CET
Whiteboard:
(none) =>
MGA3TOO
David Walser
2014-02-21 16:11:06 CET
URL:
(none) =>
http://lwn.net/Vulnerabilities/587543/
David Walser
2014-02-21 16:27:52 CET
Assignee:
bugsquad =>
lists.jjorge Backported 4.1.7 to Mageia 3 and Mageia 4 as advised by Oden (he did the same for MBS). For Mageia 3 this is a major update (from 3.5.8.x) and adds an additional requires on the phpseclib package which has been freshly imported. For Mageia 4, that package already existed but has been updated to a newer version. Advisory: ======================== Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.7) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879 http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/ ======================== Updated packages in core/updates_testing: ======================== phpseclib-0.3.5-1.mga3 phpmyadmin-4.1.7-1.mga3 phpseclib-0.3.5-1.mga4 phpmyadmin-4.1.7-1.mga4 from SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.7-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.7-1.mga4.src.rpm Assignee:
lists.jjorge =>
qa-bugs
Daniel Napora
2014-02-22 01:51:49 CET
CC:
(none) =>
napcok Testing complete mga4 64 Tested also on mga4 32 seems everything works fine Whiteboard:
MGA3TOO mga4-64-ok =>
MGA3TOO mga4-32-ok mga4-64-ok It reports that latest stable is 4.1.8 released on 2014-02-22 we should probably update to that one now.
claire robinson
2014-02-24 09:15:40 CET
Whiteboard:
MGA3TOO mga4-32-ok mga4-64-ok =>
MGA3TOO feedback mga4-32-ok mga4-64-ok I agree (I was thinking the same thing myself). Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.8) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879 http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/ ======================== Updated packages in core/updates_testing: ======================== phpseclib-0.3.5-1.mga3 phpmyadmin-4.1.8-1.mga3 phpseclib-0.3.5-1.mga4 phpmyadmin-4.1.8-1.mga4 from SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.8-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.8-1.mga4.src.rpm Whiteboard:
MGA3TOO feedback mga4-32-ok mga4-64-ok =>
MGA3TOO Testing complete mga3 64 Now shows as being "up to date" After installation browsed to http://localhost/phpmyadmin Logged in as sql root user, created a test user with matching database. Created a table in the new database. Deleted user and associated database. Logged out Testing mga3 32 aswell shortly Whiteboard:
MGA3TOO =>
MGA3TOO has_procedure mga3-64-ok Testing complete mga3 32 Whiteboard:
MGA3TOO has_procedure mga3-64-ok =>
MGA3TOO has_procedure mga3-32-ok mga3-64-ok Testing complete on Mageia 4 32 and 64 using same process as Claire CC:
(none) =>
ennael1 Update validated on both mageia 3 and 4 Thanks. Advisory: Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.8) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.8-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.8-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates for both Mageia 3 and 4? Thank you! Keywords:
(none) =>
validated_update Advisory uploaded. CC:
(none) =>
remi Update pushed: http://advisories.mageia.org/MGASA-2014-0099.html Status:
NEW =>
RESOLVED |