Bug 12834 - phpmyadmin new security issue CVE-2014-1879
: phpmyadmin new security issue CVE-2014-1879
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/587543/
: MGA3TOO has_procedure mga3-32-ok mga3...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2014-02-21 02:00 CET by David Walser
Modified: 2014-02-25 23:22 CET (History)
6 users (show)

See Also:
Source RPM: phpmyadmin
CVE:


Attachments

Description David Walser 2014-02-21 02:00:06 CET
The issue is fixed upstream in 4.1.7, which Oden has already submitted in Cauldron.

Reproducible: 

Steps to Reproduce:
Comment 2 David Walser 2014-02-21 17:48:43 CET
Backported 4.1.7 to Mageia 3 and Mageia 4 as advised by Oden (he did the same for MBS).

For Mageia 3 this is a major update (from 3.5.8.x) and adds an additional requires on the phpseclib package which has been freshly imported.  For Mageia 4, that package already existed but has been updated to a newer version.

Advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary
web script or HTML via a crafted filename in an import action
(CVE-2014-1879).

This upgrade provides the latest phpmyadmin version (4.1.7) to address
this vulnerability.

Additionally the phpseclib package has been added in Mageia 3 and updated in
Mageia 4, due to new dependencies.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879
http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/
========================

Updated packages in core/updates_testing:
========================
phpseclib-0.3.5-1.mga3
phpmyadmin-4.1.7-1.mga3
phpseclib-0.3.5-1.mga4
phpmyadmin-4.1.7-1.mga4

from SRPMS:
phpseclib-0.3.5-1.mga3.src.rpm
phpmyadmin-4.1.7-1.mga3.src.rpm
phpseclib-0.3.5-1.mga4.src.rpm
phpmyadmin-4.1.7-1.mga4.src.rpm
Comment 3 Daniel Napora 2014-02-22 01:52:13 CET
Testing complete mga4 64
Comment 4 Daniel Napora 2014-02-22 02:00:08 CET
Tested also on mga4 32 seems everything works fine
Comment 5 claire robinson 2014-02-24 08:45:30 CET
It reports that latest stable is 4.1.8 released on 2014-02-22 we should probably update to that one now.
Comment 6 David Walser 2014-02-24 18:46:40 CET
I agree (I was thinking the same thing myself).

Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary
web script or HTML via a crafted filename in an import action
(CVE-2014-1879).

This upgrade provides the latest phpmyadmin version (4.1.8) to address
this vulnerability.

Additionally the phpseclib package has been added in Mageia 3 and updated in
Mageia 4, due to new dependencies.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879
http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/
========================

Updated packages in core/updates_testing:
========================
phpseclib-0.3.5-1.mga3
phpmyadmin-4.1.8-1.mga3
phpseclib-0.3.5-1.mga4
phpmyadmin-4.1.8-1.mga4

from SRPMS:
phpseclib-0.3.5-1.mga3.src.rpm
phpmyadmin-4.1.8-1.mga3.src.rpm
phpseclib-0.3.5-1.mga4.src.rpm
phpmyadmin-4.1.8-1.mga4.src.rpm
Comment 7 claire robinson 2014-02-24 22:54:44 CET
Testing complete mga3 64

Now shows as being "up to date"

After installation browsed to http://localhost/phpmyadmin
Logged in as sql root user, created a test user with matching database. 
Created a table in the new database.
Deleted user and associated database.
Logged out

Testing mga3 32 aswell shortly
Comment 8 claire robinson 2014-02-24 23:04:56 CET
Testing complete mga3 32
Comment 9 Anne Nicolas 2014-02-25 00:03:26 CET
Testing complete on Mageia 4 32 and 64 using same process as Claire
Comment 10 Anne Nicolas 2014-02-25 00:05:54 CET
Update validated on both mageia 3 and 4
Thanks.

Advisory:

Updated phpmyadmin packages fix security vulnerabilities:

Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin
before 4.1.7 allows remote authenticated users to inject arbitrary
web script or HTML via a crafted filename in an import action
(CVE-2014-1879).

This upgrade provides the latest phpmyadmin version (4.1.8) to address
this vulnerability.

Additionally the phpseclib package has been added in Mageia 3 and updated in
Mageia 4, due to new dependencies.


SRPMS: 
phpseclib-0.3.5-1.mga3.src.rpm
phpmyadmin-4.1.8-1.mga3.src.rpm
phpseclib-0.3.5-1.mga4.src.rpm
phpmyadmin-4.1.8-1.mga4.src.rpm

Could sysadmin please push from core/updates_testing to core/updates for both Mageia 3 and 4?

Thank you!
Comment 11 Rémi Verschelde 2014-02-25 00:17:52 CET
Advisory uploaded.
Comment 12 Thomas Backlund 2014-02-25 23:22:27 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0099.html

Note You need to log in before you can comment on or make changes to this bug.