Upstream has issued advisories on May 13: http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php It turns out that phpMyAdmin 4.1.x is affected by these issues, but it is no longer supported upstream. Easiest way forward is updating to a supported version, so I'll resync Mageia 4 with Mageia 5 and move to 4.2.x. Updated packages (4.2.13.3) uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: In phpMyAdmin before 4.2.13.3, by deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup (CVE-2015-3902). In phpMyAdmin before 4.2.13.3, a vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack (CVE-2015-3903). With this update, the phpmyadmin package has been updated to the 4.2 branch, which has some additional changes and new features. The 4.1 branch is no longer supported. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3902 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3903 http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php https://sourceforge.net/p/phpmyadmin/news/2014/05/phpmyadmin-420-is-released/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.2.13.3-1.mga4 from phpmyadmin-4.2.13.3-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Whiteboard: (none) => has_procedure
Tested mga4-64 Logged in, created user and database, entered data into database and browsed, deleted user and database. All OK.
CC: (none) => wrw105Whiteboard: has_procedure => mga4-64-ok has_procedure
Testing complete mga4 32
Whiteboard: mga4-64-ok has_procedure => mga4-64-ok mga4-32-ok has_procedure
Validating. Advisory uploaded. Please push to 4 updates Thanks
Keywords: (none) => validated_updateWhiteboard: mga4-64-ok mga4-32-ok has_procedure => mga4-64-ok mga4-32-ok advisory has_procedureCC: (none) => sysadmin-bugs
URL: (none) => http://lwn.net/Vulnerabilities/644878/
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0232.html
Status: NEW => RESOLVEDResolution: (none) => FIXED