Bug 20600 - phpmyadmin new security issue fixed upstream in 4.7.0
Summary: phpmyadmin new security issue fixed upstream in 4.7.0
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-03-30 12:16 CEST by David Walser
Modified: 2017-04-03 22:32 CEST (History)
3 users (show)

See Also:
Source RPM: phpmyadmin-4.6.6-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-03-30 12:16:00 CEST
Upstream has released version 4.7.0 on March 29:
https://www.phpmyadmin.net/news/2017/3/29/phpmyadmin-470-released/

It fixes one security issue:
https://www.phpmyadmin.net/security/PMASA-2017-8/

In Cauldron it should be updated to 4.7.0, since 4.6.x is no longer supported.

In Mageia 5, it can probably be patched (commit links for the security fix are in the PMASA).
David Walser 2017-03-30 12:16:12 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 José Jorge 2017-03-31 19:38:11 CEST
4.7.0 gone to cauldron, now this bug is about MGA5. I have rediffed the patch for version 4.0.

Suggested Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

A vulnerability was discovered where the restrictions caused by $cfg['Servers'][$i]['AllowNoPassword'] = false are bypassed under certain PHP versions. This can allow the login of users who have no password set even if the administrator has set $cfg['Servers'][$i]['AllowNoPassword'] to false (which is also the default).

https://www.phpmyadmin.net/security/PMASA-2017-8/


Updated packages in core/updates_testing:
========================
phpmyadmin-4.4.15.10-2.mga5

from phpmyadmin-4.4.15.10-2.mga5.src.rpm

Status: NEW => ASSIGNED
CC: (none) => lists.jjorge
Version: Cauldron => 5
Assignee: lists.jjorge => qa-bugs

David Walser 2017-03-31 20:49:31 CEST

Whiteboard: MGA5TOO => (none)

Comment 2 Dave Hodgins 2017-04-03 20:33:43 CEST
Couldn't figure out how to recreate the issue with 4.4.15.10-1, so just testing that the update installs cleanly, and adding dropping sql objects with the updated phpmyadmin works.

Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA5-64-OK MGA5-32-OK
CC: (none) => davidwhodgins, sysadmin-bugs

Comment 3 Mageia Robot 2017-04-03 22:32:27 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0100.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.