Upstream has issued advisories on July 17: http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php There is also CVE-2014-4954, which only affected the version in Cauldron: http://www.phpmyadmin.net/home_page/security/PMASA-2014-4.php Updated packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: In phpMyAdmin before 4.1.14.2, when navigating into the database triggers page, it is possible to trigger an XSS with a crafted trigger name (CVE-2014-4955). In phpMyAdmin before 4.1.14.2, with a crafted column name it is possible to trigger an XSS when dropping the column in table structure page. With a crafted table name it is possible to trigger an XSS when dropping or truncating the table in table operations page (CVE-2014-4986). In phpMyAdmin before 4.1.14.2, An unpriviledged user could view the MySQL user list and manipulate the tabs displayed in phpMyAdmin for them (CVE-2014-4987). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4955 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4986 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4987 http://www.phpmyadmin.net/home_page/security/PMASA-2014-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.1.14.2-1.mga3 phpmyadmin-4.1.14.2-1.mga4 from SRPMS: phpmyadmin-4.1.14.2-1.mga3.src.rpm phpmyadmin-4.1.14.2-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Testing MGA4-64 I could not produce the security bugs to confirm they were or were not patched however phpMyAdmin is running and is working ok after upgrading to phpmyadmin-4.1.14.2-1.mga4 Adding ok.
CC: (none) => dpremyWhiteboard: MGA3TOO => MGA3TOO mga4-64-ok
Again on mga4-32, can't reproduce security issues but after upgrade pma works as I would expect it to. adding ok
Whiteboard: MGA3TOO mga4-64-ok => MGA3TOO mga4-64-ok mga4-32-ok
Advisory uploaded. This still needs tested on mga3 before it can be validated.
CC: (none) => remiWhiteboard: MGA3TOO mga4-64-ok mga4-32-ok => MGA3TOO mga4-64-ok mga4-32-ok advisory
Validating this. See the discussion in the QA meeting: http://meetbot.mageia.org/mageia-qa/2014/mageia-qa.2014-07-31-19.02.log.html#l-30 Please push this to core/updates for Mageia 3 and Mageia 4.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Made sure it installs in Mageia 3 32bit.
Whiteboard: MGA3TOO mga4-64-ok mga4-32-ok advisory => MGA3TOO mga3-32-ok mga4-64-ok mga4-32-ok advisory
Update pushed. http://advisories.mageia.org/MGASA-2014-0310.html
Status: NEW => RESOLVEDCC: (none) => mageiaResolution: (none) => FIXED