| Summary: | phpmyadmin new security issue fixed upstream in 4.7.0 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lists.jjorge, sysadmin-bugs |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | advisory MGA5-64-OK MGA5-32-OK | ||
| Source RPM: | phpmyadmin-4.6.6-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-03-30 12:16:00 CEST
David Walser
2017-03-30 12:16:12 CEST
Whiteboard:
(none) =>
MGA5TOO 4.7.0 gone to cauldron, now this bug is about MGA5. I have rediffed the patch for version 4.0. Suggested Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default). https://www.phpmyadmin.net/security/PMASA-2017-8/ Updated packages in core/updates_testing: ======================== phpmyadmin-4.4.15.10-2.mga5 from phpmyadmin-4.4.15.10-2.mga5.src.rpm Status:
NEW =>
ASSIGNED
David Walser
2017-03-31 20:49:31 CEST
Whiteboard:
MGA5TOO =>
(none) Couldn't figure out how to recreate the issue with 4.4.15.10-1, so just testing that the update installs cleanly, and adding dropping sql objects with the updated phpmyadmin works. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0100.html Status:
ASSIGNED =>
RESOLVED |