The issue is fixed upstream in 4.1.7, which Oden has already submitted in Cauldron. Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/
CC: (none) => oe
URL: (none) => http://lwn.net/Vulnerabilities/587543/
Assignee: bugsquad => lists.jjorge
Backported 4.1.7 to Mageia 3 and Mageia 4 as advised by Oden (he did the same for MBS). For Mageia 3 this is a major update (from 3.5.8.x) and adds an additional requires on the phpseclib package which has been freshly imported. For Mageia 4, that package already existed but has been updated to a newer version. Advisory: ======================== Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.7) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879 http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/ ======================== Updated packages in core/updates_testing: ======================== phpseclib-0.3.5-1.mga3 phpmyadmin-4.1.7-1.mga3 phpseclib-0.3.5-1.mga4 phpmyadmin-4.1.7-1.mga4 from SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.7-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.7-1.mga4.src.rpm
Assignee: lists.jjorge => qa-bugs
CC: (none) => napcokWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Testing complete mga4 64
Tested also on mga4 32 seems everything works fine
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-32-ok mga4-64-ok
It reports that latest stable is 4.1.8 released on 2014-02-22 we should probably update to that one now.
Whiteboard: MGA3TOO mga4-32-ok mga4-64-ok => MGA3TOO feedback mga4-32-ok mga4-64-ok
I agree (I was thinking the same thing myself). Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.8) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1879 http://www.phpmyadmin.net/home_page/security/PMASA-2014-1.php http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2014:046/ ======================== Updated packages in core/updates_testing: ======================== phpseclib-0.3.5-1.mga3 phpmyadmin-4.1.8-1.mga3 phpseclib-0.3.5-1.mga4 phpmyadmin-4.1.8-1.mga4 from SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.8-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.8-1.mga4.src.rpm
Whiteboard: MGA3TOO feedback mga4-32-ok mga4-64-ok => MGA3TOO
Testing complete mga3 64 Now shows as being "up to date" After installation browsed to http://localhost/phpmyadmin Logged in as sql root user, created a test user with matching database. Created a table in the new database. Deleted user and associated database. Logged out Testing mga3 32 aswell shortly
Whiteboard: MGA3TOO => MGA3TOO has_procedure mga3-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok
Testing complete on Mageia 4 32 and 64 using same process as Claire
CC: (none) => ennael1Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok
Update validated on both mageia 3 and 4 Thanks. Advisory: Updated phpmyadmin packages fix security vulnerabilities: Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action (CVE-2014-1879). This upgrade provides the latest phpmyadmin version (4.1.8) to address this vulnerability. Additionally the phpseclib package has been added in Mageia 3 and updated in Mageia 4, due to new dependencies. SRPMS: phpseclib-0.3.5-1.mga3.src.rpm phpmyadmin-4.1.8-1.mga3.src.rpm phpseclib-0.3.5-1.mga4.src.rpm phpmyadmin-4.1.8-1.mga4.src.rpm Could sysadmin please push from core/updates_testing to core/updates for both Mageia 3 and 4? Thank you!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok mga4-32-ok advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0099.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED