Bug 16724

Summary: phpmyadmin new security issue CVE-2015-6830
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: lists.jjorge, sysadmin-bugs, wrw105
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/657327/
Whiteboard: MGA4TOO has_procedure advisory mga5-64-ok mga4-64-ok
Source RPM: phpmyadmin-4.2.13.3-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-09-09 18:30:59 CEST 
Upstream has issued an advisory on September 8:
https://www.phpmyadmin.net/security/PMASA-2015-4/

The 4.2 branch is apparently no longer supported, so I had to backport the patch from 4.3.  We need a maintainer to update it to the newest supported branch (4.4).

Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.3.13.2 and 4.4.14.1, installations with reCaptcha
enabled allow completing the reCaptcha test and subsequently performing a
brute force attack to guess user credentials without having to complete
further reCaptcha tests (CVE-2015-6830).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6830
https://www.phpmyadmin.net/security/PMASA-2015-4/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.2.13.3-1.1.mga4
phpmyadmin-4.2.13.3-1.1.mga5

from SRPMS:
phpmyadmin-4.2.13.3-1.1.mga4.src.rpm
phpmyadmin-4.2.13.3-1.1.mga5.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2015-09-09 18:31:11 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => MGA4TOO has_procedure

Comment 2 David Walser 2015-09-09 18:31:58 CEST 
José, please update phpmyadmin in Cauldron to the 4.4 branch.  4.2 is EOL and 4.3 will be EOL in a few weeks.  You're listed in maintdb as the maintainer.

CC: (none) => lists.jjorge

Comment 3 José Jorge 2015-09-09 23:24:16 CEST 
(In reply to David Walser from comment #2)
> José, please update phpmyadmin in Cauldron to the 4.4 branch.  4.2 is EOL
> and 4.3 will be EOL in a few weeks.  You're listed in maintdb as the
> maintainer.

Done. Maybe we should provide it as update for MGA4 and 5 at the next CVE?
Comment 4 David Walser 2015-09-09 23:28:28 CEST 
(In reply to José Jorge from comment #3)
> (In reply to David Walser from comment #2)
> > José, please update phpmyadmin in Cauldron to the 4.4 branch.  4.2 is EOL
> > and 4.3 will be EOL in a few weeks.  You're listed in maintdb as the
> > maintainer.
> 
> Done. Maybe we should provide it as update for MGA4 and 5 at the next CVE?

Thanks.  Mageia 4 will likely be EOL by then, but yes, I plan to update Mageia 5 to 4.4.x the next time an update is needed.
Comment 5 Bill Wilkinson 2015-09-13 21:37:30 CEST 
Tested mga5-64

Created user and database, created table, entered data, deleted user and database.

All OK.

As package is noarch, I'll test mga4-64 and validate.

CC: (none) => wrw105
Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure mga5-64-ok

Comment 6 Bill Wilkinson 2015-09-13 21:54:22 CEST 
Tested mga4-64 as above, all OK.

validating. Ready for push when advisory uploaded to svn.

Keywords: (none) => validated_update
Whiteboard: MGA4TOO has_procedure mga5-64-ok => MGA4TOO has_procedure mga5-64-ok mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 claire robinson 2015-09-13 22:33:13 CEST 
Advisory uploaded.

Whiteboard: MGA4TOO has_procedure mga5-64-ok mga4-64-ok => MGA4TOO has_procedure advisory mga5-64-ok mga4-64-ok

Comment 8 Mageia Robot 2015-09-13 23:59:39 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0366.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2015-09-14 23:53:19 CEST

URL: (none) => http://lwn.net/Vulnerabilities/657327/