Bug 14721

Summary: phpmyadmin new security issue CVE-2014-9218
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/624810/
Whiteboard: has_procedure advisory mga4-64-ok mga4-32-OK
Source RPM: phpmyadmin-4.1.14.7-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2014-12-03 19:45:06 CET 
Upstream has issued advisories today (December 3):
http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php

The second issue only affects the version in Cauldron.  The update to 4.2.13.1 is committed in SVN and a freeze push has been requested.

Updated package (4.1.14.8) uploaded for Mageia 4.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In phpMyAdmin before 4.1.14.8, with very long passwords it was possible to
initiate a denial of service attack on phpMyAdmin (CVE-2014-9218).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9218
http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.1.14.8-1.mga4

from phpmyadmin-4.1.14.8-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-12-03 19:45:19 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 Bill Wilkinson 2014-12-04 04:54:46 CET 
General testing, mga4-64

Create user/database.
build table on database, enter data, browse data, delete user and database.

All OK.

CC: (none) => wrw105
Whiteboard: has_procedure => has_procedure mga4-64-ok

Comment 3 Bill Wilkinson 2014-12-04 17:47:43 CET 
General testing, mga4-32.

Tested as in comment 2.
All OK
Validating.

Can sysadmin push to core/updates when advisory is uploaded?

Thanks!

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-OK
CC: (none) => sysadmin-bugs

Comment 4 claire robinson 2014-12-04 18:04:49 CET 
advisory uploaded, thanks Bill.

Whiteboard: has_procedure mga4-64-ok mga4-32-OK => has_procedure advisory mga4-64-ok mga4-32-OK

Comment 5 Mageia Robot 2014-12-05 16:54:54 CET 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2014-0510.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2014-12-05 18:15:26 CET

URL: (none) => http://lwn.net/Vulnerabilities/624810/