Bug 24238

Summary: phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: herman.viaene, lewyssmith, mageia, mageia, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK MGA6-64-OK
Source RPM: phpmyadmin-4.8.4-1.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-01-26 12:13:37 CET 
phpMyAdmin 4.8.5 has been released today (January 26), fixing security issues:
https://www.phpmyadmin.net/news/2019/1/26/security-fix-phpmyadmin-485-released/
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Mageia 6 is also affected.
David Walser 2019-01-26 12:13:43 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2019-01-28 14:33:12 CET 
Suggested advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

- Possible SQL injection in Designer feature
- When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access.


References:
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-4.mga6

SRPM:
phpmyadmin-4.7.8-4.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
CC: (none) => mageia
Version: Cauldron => 6
Assignee: php => qa-bugs

Comment 2 Herman Viaene 2019-01-29 10:00:01 CET 
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, apart from the fact that mysql was not yet installed. I had to initiate this installation.
At CLI:
# systemctl  start httpd
# systemctl  start mysqld
# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
etc .... 


to get a working mysql 
Then run phpmyadmin in the browser, create a new database and a new table with PK and unique key.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 3 PC LX 2019-01-29 13:41:09 CET 
Installed and tested without issues.

Tests included:
- Browsing databases, tables and data;
- Creating a test table;
- Inserting, updating and deleting rows;
- Executing several SQL queries;

System: Mageia 6, x86_64, Apache, MariaDB, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q apache ; rpm -q mariadb
apache-2.4.37-1.2.mga6
mariadb-10.1.37-1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 4 Lewis Smith 2019-01-29 20:16:39 CET 
Thank you both for the quick work. Hard to keep up...

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-30 20:41:04 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0057.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED