Upstream has issued an advisory on December 20: https://www.phpmyadmin.net/security/PMASA-2017-9/ phpMyAdmin 4.7.7 has been released on December 23, fixing this issue: https://www.phpmyadmin.net/news/2017/12/23/phpmyadmin-477-released/ A CVE has not yet been issued. Updated packages uploaded for Mageia 6 and Cauldron. Advisory: ======================== Updated phpmyadmin package fixes security vulnerability: Due to an XSRF/CSRF vulnerability in phpMyAdmin before 4.7.7, by deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc (PMASA-2017-9). The phpmyadmin package has been updated to version 4.7.7 to fix this issue and other bugs. Note that phpMyAdmin 4.4.x in Mageia 5 is no longer supported. Users of the phpmyadmin package should upgrade to Mageia 6. References: https://www.phpmyadmin.net/security/PMASA-2017-9/ https://www.phpmyadmin.net/files/4.7.2/ https://www.phpmyadmin.net/files/4.7.3/ https://www.phpmyadmin.net/files/4.7.4/ https://www.phpmyadmin.net/files/4.7.5/ https://www.phpmyadmin.net/files/4.7.6/ https://www.phpmyadmin.net/files/4.7.7/ https://www.phpmyadmin.net/news/2017/12/23/phpmyadmin-477-released/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.7.7-1.mga6 from phpmyadmin-4.7.7-1.mga6.src.rpm
Testing procedure: https://bugs.mageia.org/show_bug.cgi?id=12834#c7 https://bugs.mageia.org/show_bug.cgi?id=14208#c6
Keywords: (none) => has_procedure
The test procedures noted above basically say: Create a user, database, table(s) etc. Delete same. Advisory uploaded, no CVE - as noted. Was going to test this, but the update is not yet visible.
Keywords: (none) => advisory
Trying M6/64: phpmyadmin-4.7.7-1.mga6 with: mariadb-10.1.29-2.mga6 This should be easy! But I *cannot* get past the user password rules when creating a new user, either with phpMyAdmin: " #1819 - Your password does not satisfy the current policy requirements" nor from the comand line (so the problem is NOT phpMyAdmin related): $ mysql -u root -p Enter password: ... MariaDB [(none)]> CREATE USER 'testuser'@'%' IDENTIFIED BY '123Password-_'; ERROR 1819 (HY000): Your password does not satisfy the current policy requirements The 'policy requirements' are: "When first installed, a password is required to be at least eight characters, and requires at least one digit, one uppercase character, one lowercase character, and one character that is neither a digit nor a letter." This is for "simple_password_check is a password validation plugin. It can check whether a password contains at least a certain number of characters of a specific type." Flushing privilages between attempts changed nothing. ---------------------------------------------------- Testing M6/64 Logging in as root, I deleted existing tables, then their host database. I then created a new database, one table with 4 different colmumns, the first UNIQUE, then tried making that the PRIMARY key. I added 4 rows (two of which necessitated editing the proposed SQL) whose contents I was able to edit. Deleted individually a couple of rows, then the table, then the database. By-passing the User password problem, this is good for OK. Because this is 64-bit M6 only, validating it also.
Keywords: (none) => validated_updateWhiteboard: (none) => M6-64-OKCC: (none) => lewyssmith, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0471.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
Summary: phpmyadmin new security issue PMASA-2017-9 => phpmyadmin new security issue PMASA-2017-9 (CVE-2017-1000499)