Bug 18541

Summary: phpmyadmin new security issue fixed upstream in 4.4.15.6 (CVE-2016-5099)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, lewyssmith, sysadmin-bugs, wilcal.int
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/689274/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: phpmyadmin-4.4.15.5-1.2.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-05-26 01:05:11 CEST 
Upstream has issued an advisory today (May 25):
https://www.phpmyadmin.net/security/PMASA-2016-16/

It is fixed in 4.4.15.6:
https://www.phpmyadmin.net/files/4.4.15.6/

The release announcement hasn't been posted yet and there is no CVE available yet.  Advisory to come later.

Updated packages uploaded for Mageia 5 and Cauldron.

If someone could check the Cauldron one too and make sure there are no dependency issues, that'd be great.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.6-1.mga5

from phpmyadmin-4.4.15.6-1.mga5.src.rpm
Comment 1 David Walser 2016-05-26 01:05:26 CEST 
Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 Lewis Smith 2016-05-26 12:00:01 CEST 
Testing M5 x64

Updated no problems to: phpmyadmin-4.4.15.6-1.mga5

Ran through https://bugs.mageia.org/show_bug.cgi?id=14208#c6
(C) Testing phpMyAdmin steps 2-7
and looked at a couple of existing DBs. Everything seems OK.

CC: (none) => lewyssmith
Whiteboard: has_procedure => has_procedure MGA5-64-OK

Comment 3 David Walser 2016-05-26 12:04:51 CEST 
Still no CVE, but here's an advisory.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

In phpMyAdmin before 4.4.15.6, a specially crafted attack could allow for
special HTML characters to be passed as URL encoded values and displayed back
as special characters in the page (PMASA-2016-16).

References:
https://www.phpmyadmin.net/security/PMASA-2016-16/
https://www.phpmyadmin.net/files/4.4.15.6/
https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications-and-44156-released/
Comment 4 William Kenney 2016-05-26 18:24:13 CEST 
In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.25-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.25-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.6-1.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can access db's test01 & test02

CC: (none) => wilcal.int

William Kenney 2016-05-26 18:24:33 CEST

Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK

Comment 5 William Kenney 2016-05-26 18:25:05 CEST 
This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2016-05-27 14:01:41 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 6 David Walser 2016-05-27 14:49:54 CEST 
This one has been assigned CVE-2016-5099.  I amended the advisory in SVN.

Summary: phpmyadmin new security issue fixed upstream in 4.4.15.6 => phpmyadmin new security issue fixed upstream in 4.4.15.6 (CVE-2016-5099)

Comment 7 Mageia Robot 2016-05-29 15:56:07 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0211.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-06-01 13:31:51 CEST

URL: (none) => http://lwn.net/Vulnerabilities/689274/