17849 – phpmyadmin new security issues CVE-2016-2560 and CVE-2016-2561

Bug 17849 - phpmyadmin new security issues CVE-2016-2560 and CVE-2016-2561

Summary: phpmyadmin new security issues CVE-2016-2560 and CVE-2016-2561

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/678631/
Whiteboard:	has_procedure advisory MGA5-32-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2016-03-01 01:41 CET by David Walser
Modified:	2016-03-03 19:22 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	phpmyadmin-4.4.15.4-1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-03-01 01:41:40 CET

Upstream has released new versions today (February 29):
https://www.phpmyadmin.net/news/2016/2/29/phpmyadmin-401015-44155-and-4551-are-released/

Updated packages uploaded for Mageia 5 and Cauldron.

Advisory:
========================

Updated phpmyadmin package fixes security vulnerabilities:

Multiple cross-site scripting (XSS) issues in phpMyAdmin before 4.4.5.5
(CVE-2016-2560, CVE-2016-2561).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2560
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2561
https://www.phpmyadmin.net/security/PMASA-2016-11/
https://www.phpmyadmin.net/security/PMASA-2016-12/
https://www.phpmyadmin.net/files/4.4.15.5/
https://www.phpmyadmin.net/news/2016/2/29/phpmyadmin-401015-44155-and-4551-are-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.mga5

from phpmyadmin-4.4.15.5-1.mga5.src.rpm

Comment 1 David Walser 2016-03-01 01:41:57 CET

Testing procedure:
https://bugs.mageia.org/show_bug.cgi?id=12834#c7
https://bugs.mageia.org/show_bug.cgi?id=14208#c6

Whiteboard: (none) => has_procedure

Comment 2 William Kenney 2016-03-01 17:41:11 CET

In VirtualBox, M5, KDE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi phpmyadmin
A requested package cannot be installed:
phpmyadmin-4.4.15.5-1.mga5.noarch (due to unsatisfied pear(config.sample.inc.php))

CC: (none) => wilcal.int

Comment 3 David Walser 2016-03-01 18:20:01 CET

Should be fixed.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.1.mga5

from phpmyadmin-4.4.15.5-1.1.mga5.src.rpm

Comment 4 claire robinson 2016-03-01 19:30:31 CET

Advisory uploaded with srpm from comment 3

Whiteboard: has_procedure => has_procedure advisory

Comment 5 David Walser 2016-03-02 16:28:03 CET

New tarball included a test directory that should not be packaged.  Removed it.

Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.5-1.2.mga5

from phpmyadmin-4.4.15.5-1.2.mga5.src.rpm

Advisory fixed in SVN too.

Comment 6 William Kenney 2016-03-02 18:56:04 CET

In VirtualBox, M5, KDE, 32-bit

install: mariadb phpmyadmin

Install and setup mariadb & phpmyadmin
In a su root terminal: systemctl start mysqld.service
Set password to: mytest
[root@localhost wilcal]# mysqladmin -u root password
type password "mytest" twice
In Browser: localhost/phpmyadmin
user: root
PW: mytest
remember password "mytest"

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/ & db test01

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can open db's test01 & test02

Comment 7 William Kenney 2016-03-02 19:13:49 CET

In VirtualBox, M5, KDE, 64-bit

install: mariadb phpmyadmin

Install and setup mariadb & phpmyadmin
In a su root terminal: systemctl start mysqld.service
Set password to: mytest
[root@localhost wilcal]# mysqladmin -u root password
type password "mytest" twice
In Browser: localhost/phpmyadmin
user: root
PW: mytest
remember password "mytest"

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.4-1.mga5.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/ & db test01

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.0.23-1.mga5.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can open db's test01 & test02

Comment 8 William Kenney 2016-03-02 19:14:27 CET

Looks good now. Anything else David?

Comment 9 David Walser 2016-03-02 19:16:25 CET

Good to go.  Thanks.

Comment 10 William Kenney 2016-03-02 19:19:11 CET

This update works fine.
Testing complete for MGA5, 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push to updates.
Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure advisory => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 11 Mageia Robot 2016-03-02 19:30:34 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0092.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2016-03-03 19:22:16 CET

URL: (none) => http://lwn.net/Vulnerabilities/678631/

Note You need to log in before you can comment on or make changes to this bug.