Upstream has issued advisories today (December 3): http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-18.php The second issue only affects the version in Cauldron. The update to 4.2.13.1 is committed in SVN and a freeze push has been requested. Updated package (4.1.14.8) uploaded for Mageia 4. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: In phpMyAdmin before 4.1.14.8, with very long passwords it was possible to initiate a denial of service attack on phpMyAdmin (CVE-2014-9218). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9218 http://www.phpmyadmin.net/home_page/security/PMASA-2014-17.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.1.14.8-1.mga4 from phpmyadmin-4.1.14.8-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Whiteboard: (none) => has_procedure
General testing, mga4-64 Create user/database. build table on database, enter data, browse data, delete user and database. All OK.
CC: (none) => wrw105Whiteboard: has_procedure => has_procedure mga4-64-ok
General testing, mga4-32. Tested as in comment 2. All OK Validating. Can sysadmin push to core/updates when advisory is uploaded? Thanks!
Keywords: (none) => validated_updateWhiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok mga4-32-OKCC: (none) => sysadmin-bugs
advisory uploaded, thanks Bill.
Whiteboard: has_procedure mga4-64-ok mga4-32-OK => has_procedure advisory mga4-64-ok mga4-32-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2014-0510.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/624810/