Upstream has issued an advisory on June 20: http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php The issue is fixed in 4.1.14.1. We should update Mageia 3 and Mageia 4 to it. We should also update Cauldron to 4.2.4 to fix that issue and another: http://www.phpmyadmin.net/home_page/security/PMASA-2014-2.php (CVE-2014-4348) Reproducible: Steps to Reproduce:
CC: (none) => lists.jjorge, oe
Whiteboard: (none) => MGA4TOO, MGA3TOO
Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated phpmyadmin packages fix security vulnerability: In phpMyAdmin before 4.1.14, it is possible to trigger an XSS when hiding or unhiding a crafted table name in the navigation, due to unescaped HTML output in the navigation items hiding feature. Note that this vulnerability can only be triggered by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required form (CVE-2014-4349). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4349 http://www.phpmyadmin.net/home_page/security/PMASA-2014-3.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.1.14.1-1.mga3 phpmyadmin-4.1.14.1-1.mga4 from SRPMS: phpmyadmin-4.1.14.1-1.mga3.src.rpm phpmyadmin-4.1.14.1-1.mga4.src.rpm
Version: Cauldron => 4Assignee: bugsquad => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
Procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Testing complete mga4 64
Testing complete mga4 32
Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-32-ok mga4-64-ok
Testing complete mga3 32
Whiteboard: MGA3TOO has_procedure mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok
Testing complete mga3 64
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok
Validating. Advisory uploaded. Could sysadmin please push to 3 & 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-ok => MGA3TOO has_procedure advisory mga3-32-ok mga3-64-ok mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2014-0275.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/603753/