Upstream has issued an advisory on September 8: https://www.phpmyadmin.net/security/PMASA-2015-4/ The 4.2 branch is apparently no longer supported, so I had to backport the patch from 4.3. We need a maintainer to update it to the newest supported branch (4.4). Patched packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.3.13.2 and 4.4.14.1, installations with reCaptcha enabled allow completing the reCaptcha test and subsequently performing a brute force attack to guess user credentials without having to complete further reCaptcha tests (CVE-2015-6830). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6830 https://www.phpmyadmin.net/security/PMASA-2015-4/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.2.13.3-1.1.mga4 phpmyadmin-4.2.13.3-1.1.mga5 from SRPMS: phpmyadmin-4.2.13.3-1.1.mga4.src.rpm phpmyadmin-4.2.13.3-1.1.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Whiteboard: (none) => MGA4TOO has_procedure
José, please update phpmyadmin in Cauldron to the 4.4 branch. 4.2 is EOL and 4.3 will be EOL in a few weeks. You're listed in maintdb as the maintainer.
CC: (none) => lists.jjorge
(In reply to David Walser from comment #2) > José, please update phpmyadmin in Cauldron to the 4.4 branch. 4.2 is EOL > and 4.3 will be EOL in a few weeks. You're listed in maintdb as the > maintainer. Done. Maybe we should provide it as update for MGA4 and 5 at the next CVE?
(In reply to José Jorge from comment #3) > (In reply to David Walser from comment #2) > > José, please update phpmyadmin in Cauldron to the 4.4 branch. 4.2 is EOL > > and 4.3 will be EOL in a few weeks. You're listed in maintdb as the > > maintainer. > > Done. Maybe we should provide it as update for MGA4 and 5 at the next CVE? Thanks. Mageia 4 will likely be EOL by then, but yes, I plan to update Mageia 5 to 4.4.x the next time an update is needed.
Tested mga5-64 Created user and database, created table, entered data, deleted user and database. All OK. As package is noarch, I'll test mga4-64 and validate.
CC: (none) => wrw105Whiteboard: MGA4TOO has_procedure => MGA4TOO has_procedure mga5-64-ok
Tested mga4-64 as above, all OK. validating. Ready for push when advisory uploaded to svn.
Keywords: (none) => validated_updateWhiteboard: MGA4TOO has_procedure mga5-64-ok => MGA4TOO has_procedure mga5-64-ok mga4-64-okCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO has_procedure mga5-64-ok mga4-64-ok => MGA4TOO has_procedure advisory mga5-64-ok mga4-64-ok
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0366.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/657327/