Bug 17849

Summary: phpmyadmin new security issues CVE-2016-2560 and CVE-2016-2561
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/678631/
Whiteboard: has_procedure advisory MGA5-32-OK MGA5-64-OK
Source RPM: phpmyadmin-4.4.15.4-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-01 01:41:40 CET 
Upstream has released new versions today (February 29):
https://www.phpmyadmin.net/news/2016/2/29/phpmyadmin-401015-44155-and-4551-are-released/

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

Multiple cross-site scripting (XSS) issues in phpMyAdmin before 4.4.5.5
(CVE-2016-2560, CVE-2016-2561).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2561
https://www.phpmyadmin.net/security/PMASA-2016-11/
https://www.phpmyadmin.net/security/PMASA-2016-12/
https://www.phpmyadmin.net/files/4.4.15.5/
https://www.phpmyadmin.net/news/2016/2/29/phpmyadmin-401015-44155-and-4551-are-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.mga5

from phpmyadmin-4.4.15.5-1.mga5.src.rpm
Comment 1 David Walser 2016-03-01 01:41:57 CET 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 William Kenney 2016-03-01 17:41:11 CET 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi phpmyadmin
A requested package cannot be installed:
phpmyadmin-4.4.15.5-1.mga5.noarch (due to unsatisfied pear(config.sample.inc.php))

CC: (none) => wilcal.int

Comment 3 David Walser 2016-03-01 18:20:01 CET 
Should be fixed.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.1.mga5

from phpmyadmin-4.4.15.5-1.1.mga5.src.rpm
Comment 4 claire robinson 2016-03-01 19:30:31 CET 
Advisory uploaded with srpm from comment 3

Whiteboard: has_procedure => has_procedure advisory

Comment 5 David Walser 2016-03-02 16:28:03 CET 
New tarball included a test directory that should not be packaged.  Removed it.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.2.mga5

from phpmyadmin-4.4.15.5-1.2.mga5.src.rpm

Advisory fixed in SVN too.
Comment 6 William Kenney 2016-03-02 18:56:04 CET 
In VirtualBox, M5, KDE, 32-bit

install: mariadb phpmyadmin

Install and setup mariadb & phpmyadmin
In a su root terminal: systemctl start mysqld.service
Set password to: mytest
[root@localhost wilcal]# mysqladmin -u root password
type password "mytest" twice
In Browser: localhost/phpmyadmin
user: root
PW: mytest
remember password "mytest"

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/ & db test01

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can open db's test01 & test02
Comment 7 William Kenney 2016-03-02 19:13:49 CET 
In VirtualBox, M5, KDE, 64-bit

install: mariadb phpmyadmin

Install and setup mariadb & phpmyadmin
In a su root terminal: systemctl start mysqld.service
Set password to: mytest
[root@localhost wilcal]# mysqladmin -u root password
type password "mytest" twice
In Browser: localhost/phpmyadmin
user: root
PW: mytest
remember password "mytest"

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/ & db test01

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can open db's test01 & test02
Comment 8 William Kenney 2016-03-02 19:14:27 CET 
Looks good now. Anything else David?
Comment 9 David Walser 2016-03-02 19:16:25 CET 
Good to go.  Thanks.
Comment 10 William Kenney 2016-03-02 19:19:11 CET 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2016-03-02 19:30:34 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0092.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-03 19:22:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/678631/