Bug 13573

Summary: phpmyadmin new security issue CVE-2014-4349
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lists.jjorge, oe, sysadmin-bugs, tmb
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/603753/
Whiteboard: MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Source RPM: phpmyadmin-4.1.8-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-06-22 16:15:56 CEST 
Upstream has issued an advisory on June 20:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php

The issue is fixed in 4.1.14.1.  We should update Mageia 3 and Mageia 4 to it.

We should also update Cauldron to 4.2.4 to fix that issue and another:
http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php (CVE-2014-4348)

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-22 16:16:15 CEST

CC: (none) => lists.jjorge, oe

David Walser 2014-06-22 16:16:20 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

Comment 1 David Walser 2014-06-23 16:14:23 CEST 
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated phpmyadmin packages fix security vulnerability:

In phpMyAdmin before 4.1.14, it is possible to trigger an XSS when hiding or
unhiding a crafted table name in the navigation, due to unescaped HTML output
in the navigation items hiding feature.  Note that this vulnerability can only
be triggered by someone who logged in to phpMyAdmin, as the usual token
protection prevents non-logged-in users from accessing the required form
(CVE-2014-4349).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4349
http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.1.14.1-1.mga3
phpmyadmin-4.1.14.1-1.mga4

from SRPMS:
phpmyadmin-4.1.14.1-1.mga3.src.rpm
phpmyadmin-4.1.14.1-1.mga4.src.rpm

Version: Cauldron => 4
Assignee: bugsquad => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 2 claire robinson 2014-06-23 19:53:27 CEST 
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7

Whiteboard: MGA3TOO => MGA3TOO has_procedure

Comment 3 claire robinson 2014-06-24 16:43:26 CEST 
Testing complete mga4 64
Comment 4 claire robinson 2014-06-24 17:03:43 CEST 
Testing complete mga4 32

Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok

Comment 5 claire robinson 2014-06-24 17:36:54 CEST 
Testing complete mga3 32

Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok

Comment 6 claire robinson 2014-06-24 17:47:22 CEST 
Testing complete mga3 64

Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok

Comment 7 claire robinson 2014-06-24 18:01:38 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 8 Thomas Backlund 2014-06-27 17:25:58 CEST 
Update pushed:
http://advisories.mageia.org/MGASA-2014-0275.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

David Walser 2014-06-27 18:30:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/603753/