Upstream has issued an advisory today (May 25): https://www.phpmyadmin.net/security/PMASA-2016-16/ It is fixed in 4.4.15.6: https://www.phpmyadmin.net/files/4.4.15.6/ The release announcement hasn't been posted yet and there is no CVE available yet. Advisory to come later. Updated packages uploaded for Mageia 5 and Cauldron. If someone could check the Cauldron one too and make sure there are no dependency issues, that'd be great. Updated packages in core/updates_testing: ======================== phpmyadmin-4.4.15.6-1.mga5 from phpmyadmin-4.4.15.6-1.mga5.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Whiteboard: (none) => has_procedure
Testing M5 x64 Updated no problems to: phpmyadmin-4.4.15.6-1.mga5 Ran through https://bugs.mageia.org/show_bug.cgi?id=14208#c6 (C) Testing phpMyAdmin steps 2-7 and looked at a couple of existing DBs. Everything seems OK.
CC: (none) => lewyssmithWhiteboard: has_procedure => has_procedure MGA5-64-OK
Still no CVE, but here's an advisory. Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.4.15.6, a specially crafted attack could allow for special HTML characters to be passed as URL encoded values and displayed back as special characters in the page (PMASA-2016-16). References: https://www.phpmyadmin.net/security/PMASA-2016-16/ https://www.phpmyadmin.net/files/4.4.15.6/ https://www.phpmyadmin.net/news/2016/5/26/phpmyadmin-security-notifications-and-44156-released/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: mariadb phpmyadmin default install of mariadb & phpmyadmin [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.25-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.5-1.2.mga5.noarch is already installed start mysqladmin, set password to "mytest" open http://localhost/phpmyadmin/ create new database called test01. Close browser. Successfully reopen: http://localhost/phpmyadmin/ install phpmyadmin from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.25-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.6-1.mga5.noarch is already installed open http://localhost/phpmyadmin/ create new database called test02. Close browser. Successfully reopen: http://localhost/phpmyadmin/ I can access db's test01 & test02
CC: (none) => wilcal.int
Whiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
This one has been assigned CVE-2016-5099. I amended the advisory in SVN.
Summary: phpmyadmin new security issue fixed upstream in 4.4.15.6 => phpmyadmin new security issue fixed upstream in 4.4.15.6 (CVE-2016-5099)
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0211.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/689274/