Upstream has released new versions today (November 25): https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/ Several security issues have been fixed yet again, but CVEs have not yet been indicated on the upstream advisories. Freeze push requested for Cauldron. Updated package uploaded for Mageia 5. Advisory to come later. Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6 References: https://www.phpmyadmin.net/security/PMASA-2016-58/ https://www.phpmyadmin.net/security/PMASA-2016-59/ https://www.phpmyadmin.net/security/PMASA-2016-60/ https://www.phpmyadmin.net/security/PMASA-2016-61/ https://www.phpmyadmin.net/security/PMASA-2016-62/ https://www.phpmyadmin.net/security/PMASA-2016-63/ https://www.phpmyadmin.net/security/PMASA-2016-64/ https://www.phpmyadmin.net/security/PMASA-2016-65/ https://www.phpmyadmin.net/security/PMASA-2016-66/ https://www.phpmyadmin.net/security/PMASA-2016-69/ https://www.phpmyadmin.net/security/PMASA-2016-70/ https://www.phpmyadmin.net/security/PMASA-2016-71/ https://www.phpmyadmin.net/files/4.4.15.9/ https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/
Whiteboard: (none) => has_procedure
MGA-32 on AcerD620 Xfce Installed version 4.4.15.9, no installation issues Created new table in existing test database Deleted all tables in this database. Deleted test user and database., all OK
CC: (none) => herman.viaeneWhiteboard: has_procedure => has_procedure MGA5-32-OK
URL: (none) => https://lwn.net/Vulnerabilities/708148/Severity: normal => major
Testing MGA5 64-bit real h/w Updated from Updates_Testing to: phpmyadmin-4.4.15.9-1.mga5 accepting rpmnew as the new config file. Logged in as root, created a user with D/B of same name, all privilages (which I could not get to login having left '%' as the machine domain; but changeing that [which actually created a second user of the same name] to 'localhost', it logged in OK). Created a table of different column types, populated a row, deleted the table, logout. As root deleted the user(s). Looked briefly at a different user's tables. This looks OK. Validating to get it off the main list, but the Advisory awaits.
Keywords: (none) => validated_updateWhiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.4.15.9, when the user does not specify a blowfish_secret key for encrypting cookies, phpMyAdmin generates one at runtime. A vulnerability was reported where the way this value is created using a weak algorithm. This could allow an attacker to determine the user's blowfish_secret and potentially decrypt their cookies (CVE-2016-9847). In phpMyAdmin before 4.4.15.9, phpinfo.php shows PHP information including values of sensitive HttpOnly cookies (CVE-2016-9848). In phpMyAdmin before 4.4.15.9, it is possible to bypass AllowRoot restriction ($cfg['Servers'][$i]['AllowRoot']) and deny rules for username by using Null Byte in the username (CVE-2016-9849). In phpMyAdmin before 4.4.15.9, a vulnerability in username matching for the allow/deny rules may result in wrong matches and detection of the username in the rule due to non-constant execution time (CVE-2016-9850). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to bypass the logout timeout (CVE-2016-9851). In phpMyAdmin before 4.4.15.9, by calling some scripts that are part of phpMyAdmin in an unexpected way, it is possible to trigger phpMyAdmin to display a PHP error message which contains the full path of the directory where phpMyAdmin is installed. During an execution timeout in the export functionality, the errors containing the full path of the directory of phpMyAdmin is written to the export file (CVE-2016-9852, CVE-2016-9853, CVE-2016-9854, CVE-2016-9855). In phpMyAdmin before 4.4.15.9, several XSS vulnerabilities have been reported, including an improper fix for PMASA-2016-10 and a weakness in a regular expression using in some JavaScript processing (CVE-2016-9856, CVE-2016-9857). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to initiate a denial of service attack in saved searches feature (CVE-2016-9858). In phpMyAdmin before 4.4.15.9, with a crafted request parameter value it is possible to initiate a denial of service attack in import feature (CVE-2016-9859). In phpMyAdmin before 4.4.15.9, an unauthenticated user can execute a denial of service attack when phpMyAdmin is running with $cfg['AllowArbitraryServer']=true; (CVE-2016-9860). In phpMyAdmin before 4.4.15.9, due to the limitation in URL matching, it was possible to bypass the URL white-list protection (CVE-2016-9861). In phpMyAdmin before 4.4.15.9, with a crafted username or a table name, it was possible to inject SQL statements in the tracking functionality that would run with the privileges of the control user. This gives read and write access to the tables of the configuration storage database, and if the control user has the necessary privileges, read access to some tables of the mysql database (CVE-2016-9864). In phpMyAdmin before 4.4.15.9, due to a bug in serialized string parsing, it was possible to bypass the protection offered by PMA_safeUnserialize() function (CVE-2016-9865). In phpMyAdmin before 4.4.15.9, when the arg_separator is different from its default value of &, the token was not properly stripped from the return URL of the preference import action (CVE-2016-9866). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9847 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9848 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9849 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9850 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9851 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9852 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9853 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9854 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9855 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9856 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9857 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9858 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9859 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9860 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9861 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9864 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9865 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9866 https://www.phpmyadmin.net/security/PMASA-2016-58/ https://www.phpmyadmin.net/security/PMASA-2016-59/ https://www.phpmyadmin.net/security/PMASA-2016-60/ https://www.phpmyadmin.net/security/PMASA-2016-61/ https://www.phpmyadmin.net/security/PMASA-2016-62/ https://www.phpmyadmin.net/security/PMASA-2016-63/ https://www.phpmyadmin.net/security/PMASA-2016-64/ https://www.phpmyadmin.net/security/PMASA-2016-65/ https://www.phpmyadmin.net/security/PMASA-2016-66/ https://www.phpmyadmin.net/security/PMASA-2016-69/ https://www.phpmyadmin.net/security/PMASA-2016-70/ https://www.phpmyadmin.net/security/PMASA-2016-71/ https://www.phpmyadmin.net/files/4.4.15.9/ https://www.phpmyadmin.net/news/2016/11/25/phpmyadmin-401018-44159-and-465-are-released/
CC: (none) => davidwhodginsWhiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0416.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: https://lwn.net/Vulnerabilities/708148/ => https://lwn.net/Vulnerabilities/708658/
URL: https://lwn.net/Vulnerabilities/708658/ => https://lwn.net/Vulnerabilities/708148/