Upstream has issued an advisory on December 25: https://www.phpmyadmin.net/security/PMASA-2015-6/ Updated package uploaded for Cauldron. Patched package uploaded for Mageia 5. Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: By calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed (CVE-2015-8669). References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8669 https://www.phpmyadmin.net/security/PMASA-2015-6/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.2.13.3-1.3.mga5 from phpmyadmin-4.2.13.3-1.3.mga5.src.rpm Reproducible: Steps to Reproduce:
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Whiteboard: (none) => has_procedure
Tested mga5-64. Created user with database, created table, entered values, viewed table, deleted user and dropped user's database, all OK.
CC: (none) => wrw105Whiteboard: has_procedure => has_procedure mga5-64-ok
URL: (none) => http://lwn.net/Vulnerabilities/669753/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: mariadb phpmyadmin default install of mariadb & phpmyadmin [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.22-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.2.mga5.noarch is already installed start mysqladmin, set password, open http://localhost/phpmyadmin/ create new database called test01. Close browser. Successfully reopen: http://localhost/phpmyadmin/ install phpmyadmin from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.22-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.3.mga5.noarch is already installed open http://localhost/phpmyadmin/ create new database called test02. Close browser. Successfully reopen: http://localhost/phpmyadmin/ open test01 open test02 install mariadb from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.23-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.2.13.3-1.3.mga5.noarch is already installed open http://localhost/phpmyadmin/ create new database called test03. Close browser. Successfully reopen: http://localhost/phpmyadmin/ open test01 open test02 open test03
CC: (none) => wilcal.int
Happy New Year. This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
CC: (none) => sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: has_procedure mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok
Whiteboard: has_procedure mga5-32-ok mga5-64-ok => has_procedure mga5-32-ok mga5-64-ok advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0002.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED