Bug 22640 - phpmyadmin new security issue CVE-2018-7260
Summary: phpmyadmin new security issue CVE-2018-7260
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-23 12:08 CET by David Walser
Modified: 2018-03-04 00:41 CET (History)
2 users (show)

See Also:
Source RPM: phpmyadmin-4.7.7-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 4.7.8


Attachments

Description David Walser 2018-02-23 12:08:09 CET
Upstream has issued an advisory on February 20:
https://www.phpmyadmin.net/security/PMASA-2018-1/

phpMyAdmin 4.7.8 has been released, fixing this issue:
https://www.phpmyadmin.net/news/2018/2/20/security-fix-phpmyadmin-478-released/

Mageia 6 is also affected.
David Walser 2018-02-23 12:08:24 CET

Status comment: (none) => Fixed upstream in 4.7.8
Whiteboard: (none) => MGA6TOO

Comment 1 José Jorge 2018-02-23 12:18:12 CET
Thanks for the report. Version 4.7.8 submitted to cauldron and MGA6.

Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge

Comment 2 David Walser 2018-02-23 13:21:04 CET
Mageia 6 update hasn't been pushed yet.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6
Assignee: qa-bugs => lists.jjorge

José Jorge 2018-02-23 13:40:25 CET

Assignee: lists.jjorge => qa-bugs

Comment 3 José Jorge 2018-02-23 13:40:50 CET
(In reply to David Walser from comment #2)
> Mageia 6 update hasn't been pushed yet.

You are right, now it is pushed.
Comment 4 David Walser 2018-02-23 13:53:02 CET
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

A self-cross site scripting (XSS) vulnerability has been reported relating to
the central columns feature (CVE-2018-7260).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7260
https://www.phpmyadmin.net/security/PMASA-2018-1/
https://www.phpmyadmin.net/files/4.7.8/
https://www.phpmyadmin.net/news/2018/2/20/security-fix-phpmyadmin-478-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-1.mga6

from phpmyadmin-4.7.8-1.mga6.src.rpm
Comment 5 claire robinson 2018-02-28 17:21:25 CET
Advisory uploaded.

Keywords: (none) => advisory

Comment 6 Lewis Smith 2018-03-02 10:32:07 CET
Testing M6/64

AFTER update to: phpmyadmin-4.7.8-1.mga6
 http://localhost/phpmyadmin
Chose UK English language at login, created a database, one table, 4 different fields, first made unique & index, inserted rows, edited data, deleted by row, deleted table, deleted the DB. All looks OK, so OKing & validating the update as it has nothing to do with the current Qt update.

Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-04 00:41:57 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0156.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.