17044 – phpmyadmin new security issue CVE-2015-7873

Bug 17044 - phpmyadmin new security issue CVE-2015-7873

Summary: phpmyadmin new security issue CVE-2015-7873

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/662431/
Whiteboard:	has_procedure MGA5-64-OK advisory
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-29 15:27 CET by David Walser
Modified:	2015-10-30 21:12 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	phpmyadmin-4.2.13.3-1.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-29 15:27:27 CET

Upstream has issued an advisory on October 23:
https://www.phpmyadmin.net/security/PMASA-2015-5/

Debian has issued an advisory for this on October 28:
https://www.debian.org/security/2015/dsa-3382

Updated package uploaded for Cauldron.

Patched package uploaded for Mageia 5.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

Content spoofing vulnerability when redirecting user to an external site
(CVE-2015-7873).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7873
https://www.phpmyadmin.net/security/PMASA-2015-5/
https://www.debian.org/security/2015/dsa-3382
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.2.13.3-1.2.mga5

from phpmyadmin-4.2.13.3-1.2.mga5.src.rpm

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-10-29 15:27:40 CET

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 William Kenney 2015-10-29 18:13:22 CET

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.1.mga5.noarch is already installed

start mysqladmin, set password, open http://localhost/phpmyadmin/
create new database called dbase1. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.21-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called dbase2. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
open dbase1
open dbase2

CC: (none) => wilcal.int

Comment 3 William Kenney 2015-10-29 18:25:33 CET

In VirtualBox, M5, KDE, 64-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.1.mga5.noarch is already installed

start mysqladmin, set password, open http://localhost/phpmyadmin/
create new database called dbase1. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.21-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.2.13.3-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called dbase2. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
open dbase1
open dbase2

Comment 4 William Kenney 2015-10-29 18:26:28 CET

This looks good to go David. What you say?

Comment 5 Dave Hodgins 2015-10-29 19:48:29 CET

Oking based on comment 3, and validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure => has_procedure MGA5-64-OK advisory
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 6 Mageia Robot 2015-10-30 21:12:10 CET

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0419.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.