| Summary: | phpmyadmin new security issues fixed in 3.5.3 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, lists.jjorge, sysadmin-bugs, tmb |
| Version: | 2 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| Whiteboard: | MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | phpmyadmin | CVE: | |
| Status comment: | |||
|
Description
David Walser
2012-10-09 03:37:21 CEST
David Walser
2012-10-09 03:38:12 CEST
CC:
(none) =>
lists.jjorge Updated in cauldron, now for 1 and 2 : Advisory: ======================== Updated phpmyadmin package fixes bugs and security vulnerabilities ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.3-1.mga2 phpmyadmin-3.5.3-1.1.mga1 from phpmyadmin-3.5.3-1.mga[1-2].src.rpm Status:
NEW =>
ASSIGNED
José Jorge
2012-10-10 21:21:53 CEST
Assignee:
lists.jjorge =>
qa-bugs José, thanks. The subrel in the Mageia 1 package causes it to be newer than the Mageia 2 and Cauldron packages, which is a problem. You could ask the sysadmins to delete it from Mageia 1 updates_testing, remove the subrel, and resubmit it to the build system, or you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package. Version:
Cauldron =>
2 (In reply to comment #2) > you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package. I took this second path, so now it is phpmyadmin-3.5.3-1.1.mga2 Testing complete. No poc, so just checked creating db, running sql depcheck, etc. Could someone from the sysadmin team push the srpm phpmyadmin-3.5.3-1.mga2 from Mageia 2 Core Updates Testing to Core Updates, and the srpm phpmyadmin-3.5.3-1.1.mga from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities PMASA-2012-6 - Multiple XSS vulnerabilities PMASA-2012-7 - Fetching the version information from a non-SSL site is vulnerable to a MITM attack. http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php https://bugs.mageia.org/show_bug.cgi?id=7744 Keywords:
(none) =>
validated_update Not pushing.... Upgrade path from mga1 to mga2 is broken: $ rpmdev-vercmp 3.5.3-1.1.mga1 3.5.3-1.mga2 3.5.3-1.1.mga1 > 3.5.3-1.mga2 I pushed a 3.5.3-2 to 2/updates_testing Keywords:
validated_update =>
(none) Good catch Thomas. Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm phpmyadmin-3.5.3-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates, and the srpm phpmyadmin-3.5.3-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities PMASA-2012-6 - Multiple XSS vulnerabilities PMASA-2012-7 - Fetching the version information from a non-SSL site is vulnerable to a MITM attack. http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php https://bugs.mageia.org/show_bug.cgi?id=7744 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0298 Status:
ASSIGNED =>
RESOLVED What happened here? José made 1.1.mga2 (see Comment 3) to fix the upgrade path problem, so that shouldn't have been an issue. If Thomas changed the release tag to 2 and didn't remove the subrel and it's now 2.1.mga2, then it has now broken the upgrade path to Cauldron (2.mga3). Ah, I missed comment 3 that states the 1.1.mga2 now, so it would have been ok then... I only read comment 4... anyway ... cauldron upgrade path is ok, I pushed a -3 to cauldron at the same time I pushed -2 to updates_testing... This has CVEs now: CVE-2012-5339 CVE-2012-5368 from http://lwn.net/Vulnerabilities/525828/ |