| Summary: | phpmyadmin is newer in MDV 2010.2 (contrib) updates than Mageia 1 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, derekjenn, lists.jjorge, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | phpmyadmin-3.4.9-1.mga1.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-04-08 15:59:49 CEST
David Walser
2012-04-08 16:00:10 CEST
CC:
(none) =>
lists.jjorge Assigning to maintainer Assignee:
bugsquad =>
lists.jjorge Submitted phpmyadmin-3.5.0-1.mga1 to testing. Push to Cauldron asked. Status:
NEW =>
ASSIGNED Thanks José. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: It was possible to conduct XSS using a crafted database name in phpMyAdmin 3.4.x before 3.4.10.2. The victim would have to willingly click on a database name which clearly shows a possible XSS (CVE-2012-1190). show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file (CVE-2012-1902). This update also allows upgrading from Mandriva 2010.2. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1190 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1902 http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.0-1.mga1 from phpmyadmin-3.5.0-1.mga1.src.rpm Update Validated Upgraded production phpmyadmin to phpmyadmin-3.5.0-1.mga1 Confirmed no regressions in normal operation with databases. Could sysadmin please push phpmyadmin-3.5.0-1.mga1.src.rpm from core/updates_testing to core/updates Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: It was possible to conduct XSS using a crafted database name in phpMyAdmin 3.4.x before 3.4.10.2. The victim would have to willingly click on a database name which clearly shows a possible XSS (CVE-2012-1190). show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file (CVE-2012-1902). This update also allows upgrading from Mandriva 2010.2. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1190 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1902 http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php ======================== Keywords:
(none) =>
validated_update Testing complete on i586 for the srpm phpmyadmin-3.5.0-1.mga1.src.rpm Just browsing through https://localhost/phpmyadmin, created a table, and dropped it. CC:
(none) =>
davidwhodgins Derek, which arch did you test on? Most updates shouldn't be validated until they have been tested on both architectures. I was using x86_64 but phpmyadmin is .noarch so it should not matter. Update pushed Status:
ASSIGNED =>
RESOLVED (In reply to comment #7) > I was using x86_64 but phpmyadmin is .noarch so it should not matter. Sorry, you're right. My mistake. |