Bug 31527

Summary: phpmyadmin: update to latest version 5.2.1
Product: Mageia Reporter: Marc Krämer <mageia>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, mageia, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: phpmyadmin CVE: PMASA-2023-01
Status comment:

Comment 1 Marc Krämer 2023-02-08 19:24:44 CET 
Updated phpmyadmin fix some errors and add some improvements:


- issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
- issue #17519 Fix Export pages not working in certain conditions
- issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing
- issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
- issue #17248 Support the UUID data type for MariaDB >= 10.7
- issue #16042 Fixes malformed downloads when using gzip compression type and FireFox browser
- Add `spellcheck="false"` to all password fields and some text fields to avoid spell-jacking data leaks
- Fixes for JavaScript errors when using Designer
- Fixes for PHP 8.2 compatibility

References:
https://www.phpmyadmin.net/news/2023/2/8/phpmyadmin-4911-and-521-are-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-5.2.1-1.mga8.noarch.rpm

SRPM:
phpmyadmin-5.2.1-1.mga8.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Marc Krämer 2023-02-08 19:27:59 CET 
Found this too - but not much info about this. No CVE, ..

[security] Fix an XSS attack through the drag-and-drop upload feature (PMASA-2023-01)

CVE: (none) => PMASA-2023-01
QA Contact: (none) => security
Component: RPM Packages => Security

Comment 3 David Walser 2023-02-09 17:28:39 CET 
Additional reference:
https://www.phpmyadmin.net/security/PMASA-2023-1/
Comment 4 PC LX 2023-02-10 11:42:06 CET 
Installed and tested without issues.


Tested local and remote MariaDB and MySQL servers. No issues.
Using php-fpm instead of mod_php.
Using two factor authentication plugin.


System: Mageia 8, x86_64, Apache, MariaDB, MySQL, Firefox, Chromium, AMD CPU.


$ uname -a
Linux jupiter 6.1.6-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Sat Jan 14 13:18:00 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q phpmyadmin apache mariadb
phpmyadmin-5.2.1-1.mga8
apache-2.4.55-1.mga8
mariadb-10.5.19-1.mga8

CC: (none) => mageia

Comment 5 PC LX 2023-02-13 02:31:57 CET 
This update has been working for 4 days without issues so will give it the OK. Please undo if needed.

Whiteboard: (none) => MGA8-64-OK

Comment 6 Thomas Andrews 2023-02-13 19:09:55 CET 
Validating. Advisory information in comment 1, comment 2, and comment 3.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Dave Hodgins 2023-02-14 21:33:33 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-02-14 23:45:11 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0049.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2023-02-15 17:57:58 CET 
(In reply to David Walser from comment #3)
> Additional reference:
> https://www.phpmyadmin.net/security/PMASA-2023-1/

This now has CVE-2023-25727:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/VQ5VVS2CGDQ32RHYLQQZFFFADPEZO6KM/