Bug 24012

Summary:	phpmyadmin new security issues CVE-2018-1996[89] and CVE-2018-19970
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	critical
Priority:	Normal	CC:	herman.viaene, lewyssmith, mageia, sysadmin-bugs
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-32-OK
Source RPM:	phpmyadmin-4.8.3-6.mga7.src.rpm	CVE:
Status comment:

Description David Walser 2018-12-15 17:53:13 CET

phpMyAdmin 4.8.4 has been released on December 11, fixing security issues:
https://www.phpmyadmin.net/news/2018/12/11/security-fix-phpmyadmin-484-released/
https://www.phpmyadmin.net/security/PMASA-2018-6/
https://www.phpmyadmin.net/security/PMASA-2018-7/
https://www.phpmyadmin.net/security/PMASA-2018-8/

Mageia 6 is also affected.

David Walser 2018-12-15 17:53:20 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2018-12-15 20:44:11 CET

yepp, but phpmyadmin >4.8.0 only supports php >7
I'll have to look if we can adapt the patches...

CC: (none) => mageia

Comment 2 Marc Krämer 2018-12-15 21:46:28 CET

ok, I'll patch CVE-2018-19970, CVE-2018-19968, waiting for admins to remove testpackage of 4.8.3 from updates testing.

Comment 3 Marc Krämer 2018-12-16 14:21:16 CET

Patched phpmyadmin packages to fix security vulnerabilities:
- XSS vulnerability in navigation tree was discovered
- Local file inclusion through transformation feature


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19968
https://www.phpmyadmin.net/security/PMASA-2018-6/
https://www.phpmyadmin.net/security/PMASA-2018-8/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-3.mga6.noarch.rpm

Source RPMs: 
phpmyadmin-4.7.8-3.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: php => qa-bugs

Comment 4 Herman Viaene 2018-12-17 11:20:43 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Checked httpd and mysqld are running.
Point to http://localhost/phpmyadmin/ , delete previous test database, create a new one, create a new table in it. 
Closed phpmyadmin and opened it again. All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2018-12-19 12:21:11 CET

Thanks yet again, Herman. Validating; & advisory from comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2018-12-20 21:18:30 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0486.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED