Upstream has released new versions on August 16: https://www.phpmyadmin.net/news/2016/8/16/phpmyadmin-401017-44158-and-464-are-released/ They may have set a record with security issues fixed this time, as PMASA-2016-29 through PMASA-2016-56 all correspond to this round of updates. Freeze push requested for Cauldron. Update for Mageia 5 in progress.
Updated package uploaded for Mageia 5. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6 Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.4.15.8, the decryption of the username/password is vulnerable to a padding oracle attack. The can allow an attacker who has access to a user's browser cookie file to decrypt the username and password. Also, the same initialization vector (IV) is used to hash the username and password stored in the phpMyAdmin cookie. If a user has the same password as their username, an attacker who examines the browser cookie can see that they are the same (CVE-2016-6606). In phpMyAdmin before 4.4.15.8, multiple vulnerabilities have been discovered in the following areas of phpMyAdmin: Zoom search, GIS editor, Relation view, several Transformations, XML export, MediaWiki export, Designer, when the MySQL server is running with a specially-crafted log_bin directive, Database tab, Replication feature, and Database search (CVE-2016-6607). In phpMyAdmin before 4.4.15.8, a vulnerability was found where a specially crafted database name could be used to run arbitrary PHP commands through the array export feature (CVE-2016-6609). In phpMyAdmin before 4.4.15.8, a full path disclosure vulnerability was discovered where a user can trigger a particular error in the export mechanism to discover the full path of phpMyAdmin on the disk (CVE-2016-6610). In phpMyAdmin before 4.4.15.8, a vulnerability was reported where a specially crafted database and/or table name can be used to trigger an SQL injection attack through the export functionality (CVE-2016-6611). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where a user can exploit the LOAD LOCAL INFILE functionality to expose files on the server to the database system (CVE-2016-6612). In phpMyAdmin before 4.4.15.8, a vulnerability was found where a user can specially craft a symlink on disk, to a file which phpMyAdmin is permitted to read but the user is not, which phpMyAdmin will then expose to the user (CVE-2016-6613). In phpMyAdmin before 4.4.15.8, a vulnerability was reported with the %u username replacement functionality of the SaveDir and UploadDir features. When the username substitution is configured, a specially-crafted user name can be used to circumvent restrictions to traverse the file system (CVE-2016-6614). In phpMyAdmin before 4.4.15.8, multiple XSS vulnerabilities were found in the following areas: Navigation pane and database/table hiding feature, the "Tracking" feature, and GIS visualization feature (CVE-2016-6615). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered in the following features where a user can execute an SQL injection attack against the account of the control user: User group Designer (CVE-2016-6616). In phpMyAdmin before 4.4.15.8, a vulnerability was found in the transformation feature allowing a user to trigger a denial-of-service (DOS) attack against the server (CVE-2016-6618). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered in the user interface preference feature where a user can execute an SQL injection attack against the account of the control user (CVE-2016-6619). In phpMyAdmin before 4.4.15.8, a vulnerability was reported where some data is passed to the PHP unserialize() function without verification that it's valid serialized data. A malicious user may be able to manipulate the stored data in a way to result in code being loaded and executed (CVE-2016-6620). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an unauthenticated user is able to execute a denial-of-service (DOS) attack by forcing persistent connections when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true; (CVE-2016-6622). In phpMyAdmin before 4.4.15.8, a vulnerability has been reported where a malicious authorized user can cause a denial-of-service (DOS) attack on a server by passing large values to a loop (CVE-2016-6623). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where, under certain circumstances, it may be possible to circumvent the phpMyAdmin IP-based authentication rules. When phpMyAdmin is used with IPv6 in a proxy server environment, and the proxy server is in the allowed range but the attacking computer is not allowed, this vulnerability can allow the attacking computer to connect despite the IP rules (CVE-2016-6624). In phpMyAdmin before 4.4.15.8, a vulnerability was reported where an attacker can determine whether a user is logged in to phpMyAdmin (CVE-2016-6625). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an attacker could redirect a user to a malicious web page (CVE-2016-6626). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an attacker can determine the phpMyAdmin host location through the file url.php (CVE-2016-6627). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where an attacker may be able to trigger a user to download a specially crafted malicious SVG file (CVE-2016-6628). In phpMyAdmin before 4.4.15.8, a vulnerability was reported with the $cfg['ArbitraryServerRegexp'] configuration directive. An attacker could reuse certain cookie values in a way of bypassing the servers defined by ArbitraryServerRegexp (CVE-2016-6629). In phpMyAdmin before 4.4.15.8, an authenticated user can trigger a denial-of-service (DOS) attack by entering a very long password at the change password dialog (CVE-2016-6630). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where a user can execute a remote code execution attack against a server when phpMyAdmin is being run as a CGI application. Under certain server configurations, a user can pass a query string which is executed as a command-line argument by the file generator_plugin.sh (CVE-2016-6631). In phpMyAdmin before 4.4.15.8, a flaw was discovered where, under certain conditions, phpMyAdmin may not delete temporary files during the import of ESRI files (CVE-2016-6632). In phpMyAdmin before 4.4.15.8, a vulnerability was discovered where phpMyAdmin can be used to trigger a remote code execution attack against certain PHP installations (CVE-2016-6633). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6606 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6607 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6609 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6610 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6611 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6612 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6613 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6614 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6615 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6616 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6618 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6619 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6620 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6622 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6623 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6624 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6625 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6626 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6627 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6628 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6629 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6630 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6631 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6632 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6633 https://www.phpmyadmin.net/security/PMASA-2016-29/ https://www.phpmyadmin.net/security/PMASA-2016-30/ https://www.phpmyadmin.net/security/PMASA-2016-32/ https://www.phpmyadmin.net/security/PMASA-2016-33/ https://www.phpmyadmin.net/security/PMASA-2016-34/ https://www.phpmyadmin.net/security/PMASA-2016-35/ https://www.phpmyadmin.net/security/PMASA-2016-36/ https://www.phpmyadmin.net/security/PMASA-2016-37/ https://www.phpmyadmin.net/security/PMASA-2016-38/ https://www.phpmyadmin.net/security/PMASA-2016-39/ https://www.phpmyadmin.net/security/PMASA-2016-41/ https://www.phpmyadmin.net/security/PMASA-2016-42/ https://www.phpmyadmin.net/security/PMASA-2016-43/ https://www.phpmyadmin.net/security/PMASA-2016-45/ https://www.phpmyadmin.net/security/PMASA-2016-46/ https://www.phpmyadmin.net/security/PMASA-2016-47/ https://www.phpmyadmin.net/security/PMASA-2016-48/ https://www.phpmyadmin.net/security/PMASA-2016-49/ https://www.phpmyadmin.net/security/PMASA-2016-50/ https://www.phpmyadmin.net/security/PMASA-2016-51/ https://www.phpmyadmin.net/security/PMASA-2016-52/ https://www.phpmyadmin.net/security/PMASA-2016-53/ https://www.phpmyadmin.net/security/PMASA-2016-54/ https://www.phpmyadmin.net/security/PMASA-2016-55/ https://www.phpmyadmin.net/security/PMASA-2016-56/ https://www.phpmyadmin.net/files/4.4.15.6/ https://www.phpmyadmin.net/news/2016/8/16/phpmyadmin-401017-44158-and-464-are-released/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.4.15.8-1.mga5 from phpmyadmin-4.4.15.8-1.mga5.src.rpm
Assignee: bugsquad => qa-bugsWhiteboard: (none) => has_procedure
In VirtualBox, M5, KDE, 32-bit Package(s) under test: mariadb phpmyadmin default install of mariadb & phpmyadmin [root@localhost wilcal]# urpmi mariadb Package mariadb-10.0.26-1.mga5.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.4.15.7-1.mga5.noarch is already installed start mysqladmin, set password to "mytest" open http://localhost/phpmyadmin/ create new database called test01. Close browser. Successfully reopen: http://localhost/phpmyadmin/ install phpmyadmin from updates_testing I've tried two days in a row to get: phpmyadmin-4.4.15.8-1 To install from either the MCC or from command line urpmi both times unsuccessful. Even though it's in the repo.
CC: (none) => wilcal.int
Installed task-lamp Started mysqld Ran "mysqladmin password" to set the mysql admin password Accessed http://localhost/phpmyadmin/ (Installed apache-mod_ssl, restarted httpd, and after adding an exception in firefox for the self signed cert, https://localhost/phpmyadmin/ works too). Intalled the update, restarted httpd, and confirmed creating/deleting a table in phpmyadmin works.
CC: (none) => davidwhodginsWhiteboard: has_procedure => has_procedure MGA5-64-OK
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-64-OK => has_procedure MGA5-64-OK advisoryCC: (none) => sysadmin-bugs
(In reply to Dave Hodgins from comment #3) > Installed task-lamp > Started mysqld > Ran "mysqladmin password" to set the mysql admin password > Accessed http://localhost/phpmyadmin/ > (Installed apache-mod_ssl, restarted httpd, and after adding an exception > in firefox for the self signed cert, https://localhost/phpmyadmin/ > works too). > > Intalled the update, restarted httpd, and confirmed creating/deleting > a table in phpmyadmin works. Dave, How did you work around this? [baz@jackodesktop ~]$ mysqladmin password "$pass" mysqladmin: You cannot use 'password' command as mysqld runs with grant tables disabled (was started with --skip-grant-tables). Use: "mysqladmin flush-privileges password '*'" instead [baz@jackodesktop ~]$ mysqladmin flush-privileges password '*' mysqladmin: You cannot use 'password' command as mysqld runs with grant tables disabled (was started with --skip-grant-tables). Use: "mysqladmin flush-privileges password '*'" instead [baz@jackodesktop ~]$ It breaks a script used in zoneminder and I landed here looking for a solution :\
CC: (none) => zen25000
URL: (none) => http://lwn.net/Vulnerabilities/698492/
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0291.html
Status: NEW => RESOLVEDResolution: (none) => FIXED