Upstream has released version 4.1.14.5 today (October 1) fixing security issues: http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.4__4.1.14.5_and_4.2.9.1_are_released Details are not available yet. Updated packages uploaded for Mageia 3 and Mageia 4. Freeze push requested for 4.2.9.1 for Cauldron. Updated packages in core/updates_testing: ======================== phpmyadmin-4.1.14.5-1.mga3 phpmyadmin-4.1.14.5-1.mga4 from SRPMS: phpmyadmin-4.1.14.5-1.mga3.src.rpm phpmyadmin-4.1.14.5-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7
Whiteboard: (none) => MGA3TOO
Whiteboard: MGA3TOO => MGA3TOO has_procedure
Tested mga4 64 Created user and database, set up table and entered a data point checked table and data point, removed user and database. All behaved as expected.
CC: (none) => wrw105Whiteboard: MGA3TOO has_procedure => MGA3TOO has_procedure mga4-64-ok
Testing complete mga3 64 Similar to Bill. The update caused httpd segfaults until httpd was restarted rather than the reload it gets when updating. We've seen this before IINM and decided there was nothing we could do about it.
Whiteboard: MGA3TOO has_procedure mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok
Nothing we can do unless we can figure out what's causing it and fix that. For instance, having php-opcache enabled will cause this issue, but there's isn't a fix for it yet, so you just have to disable it. I'm not specifically aware of other causes for this issue, but it's possible there's another one.
http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php
CC: (none) => oe
More detailed procedure: ======================== To use phpMyAdmin you need to have mariadb installed and to know the MySQL root password (not that it differs from your Mageia root password). If you don't have mariadb installed and configured, go to (A). If you don't remember the MySQL root password, go to (B). If you're fine, go to (C). (A) Installing MySQL 0. If you decided to reinstall MySQL, uninstall mariadb and delete /var/lib/mysql and /etc/my.cfg 1. Install mariadb 2. Run the mysqld service with: # systemctl start mysqld 3. Define a MySQL root password with: # mysqladmin password 4. Go to (C) to test phpMyAdmin (B) Reset MySQL root password 1. Stop the mysql service: # systemctl stop mysqld 2. Start MySQL without password authentication: # mysqld_safe --skip-grant-tables & 3. Connect to the MySQL server as root user: # mysql -u root mysql 4. Run the following commands with your chosen password instead of "MyNewPass". Note that mysql> is just the MySQL prompt, you should not type it. mysql> use mysql; mysql> UPDATE mysql.user SET Password=PASSWORD('MyNewPass') WHERE User='root'; mysql> FLUSH PRIVILEGES; mysql> exit 5. Stop the safe-mode MySQL and start the normal one again # mysqladmin shutdown # systemctl start mysqld 4. Go to (C) to test phpMyAdmin (C) Testing phpMyAdmin 1. Install phpmyadmin 2. Browse to http://localhost/phpmyadmin 3. Log in as MySQL root user with your now known password 4. Create a user: in the banner menu click "Users" and then "Add a user" Set the username and password, and tick the box to create a database named like the user on which the user has all privileges 5. In the left hand-side menu, click on your new database, and create a table. 6. Delete the user and the associated database 7. Log out
(In reply to Oden Eriksson from comment #5) > http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php Thanks Oden. It's about time they posted it. I kept checking for it.
Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.1.14.4, with a crafted ENUM value it is possible to trigger an XSS in table search and table structure pages (CVE-2014-7217). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7217 http://www.phpmyadmin.net/home_page/security/PMASA-2014-11.php
Summary: phpmyadmin new security issues fixed in 4.1.14.5 => phpmyadmin new security issue CVE-2014-7217
Test with phpmyadmin 4.1.14.5-1.mga4 Create a user, a table, delete, all OK.
CC: (none) => patr_and
Whiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok => MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-32-OK
Actually I did not realise but I tested mga3 32bit when writing the procedure :-P
CC: (none) => remiWhiteboard: MGA3TOO has_procedure mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK
URL: (none) => http://lwn.net/Vulnerabilities/614817/
@David: Should I ask the lwn.net link to the advisory?
Keywords: (none) => validated_updateWhiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisoryCC: (none) => sysadmin-bugs
(In reply to Rémi Verschelde from comment #11) > @David: Should I ask the lwn.net link to the advisory? No.
Of course I meant "should I add" but I see you understood :-)
Validated. I couldn't upload the advisory yet because mgaadv is broken on cauldron :-/
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK
Actually I copied and edited another advisory.
Whiteboard: MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK => MGA3TOO has_procedure mga3-32-ok mga3-64-ok mga4-64-ok MGA4-32-OK advisory
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0402.html
Status: NEW => RESOLVEDResolution: (none) => FIXED