Bug 15945

Summary: phpmyadmin new security issues CVE-2015-3902 and CVE-2015-3903
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: sysadmin-bugs, wrw105
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/644878/
Whiteboard: mga4-64-ok mga4-32-ok advisory has_procedure
Source RPM: phpmyadmin-4.1.14.8-1.mga4.src.rpm CVE:
Status comment:

Description David Walser 2015-05-15 16:24:54 CEST 
Upstream has issued advisories on May 13:
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php

It turns out that phpMyAdmin 4.1.x is affected by these issues, but it is no longer supported upstream.  Easiest way forward is updating to a supported version, so I'll resync Mageia 4 with Mageia 5 and move to 4.2.x.

Updated packages (4.2.13.3) uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

In phpMyAdmin before 4.2.13.3, by deceiving a user to click on a crafted URL,
it is possible to alter the configuration file being generated with phpMyAdmin
setup (CVE-2015-3902).

In phpMyAdmin before 4.2.13.3, a vulnerability in the API call to GitHub can
be exploited to perform a man-in-the-middle attack (CVE-2015-3903).

With this update, the phpmyadmin package has been updated to the 4.2 branch,
which has some additional changes and new features.  The 4.1 branch is no
longer supported.

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3902
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3903
http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php
http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php
https://sourceforge.net/p/phpmyadmin/news/2014/05/phpmyadmin-420-is-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.2.13.3-1.mga4

from phpmyadmin-4.2.13.3-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-05-15 16:25:17 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 Bill Wilkinson 2015-05-16 14:38:55 CEST 
Tested mga4-64

Logged in, created user and database, entered data into database and browsed, deleted user and database.  All OK.

CC: (none) => wrw105
Whiteboard: has_procedure => mga4-64-ok has_procedure

Comment 3 claire robinson 2015-05-18 10:50:41 CEST 
Testing complete mga4 32

Whiteboard: mga4-64-ok has_procedure => mga4-64-ok mga4-32-ok has_procedure

Comment 4 claire robinson 2015-05-18 15:08:10 CEST 
Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: mga4-64-ok mga4-32-ok has_procedure => mga4-64-ok mga4-32-ok advisory has_procedure
CC: (none) => sysadmin-bugs

David Walser 2015-05-18 19:13:34 CEST

URL: (none) => http://lwn.net/Vulnerabilities/644878/

Comment 5 Mageia Robot 2015-05-18 21:09:04 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0232.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED