Bug 22640 - phpmyadmin new security issue CVE-2018-7260
Summary: phpmyadmin new security issue CVE-2018-7260
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-02-23 12:08 CET by David Walser
Modified: 2018-03-04 00:41 CET (History)
2 users (show)

See Also:
Source RPM: phpmyadmin-4.7.7-1.mga7.src.rpm
CVE:
Status comment: Fixed upstream in 4.7.8

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-02-23 12:08:09 CET 
Upstream has issued an advisory on February 20:
https://www.phpmyadmin.net/security/PMASA-2018-1/

phpMyAdmin 4.7.8 has been released, fixing this issue:
https://www.phpmyadmin.net/news/2018/2/20/security-fix-phpmyadmin-478-released/

Mageia 6 is also affected.
David Walser 2018-02-23 12:08:24 CET

Status comment: (none) => Fixed upstream in 4.7.8
Whiteboard: (none) => MGA6TOO

Comment 1 José Jorge 2018-02-23 12:18:12 CET 
Thanks for the report. Version 4.7.8 submitted to cauldron and MGA6.

Assignee: lists.jjorge => qa-bugs
CC: (none) => lists.jjorge
Status: NEW => ASSIGNED

Comment 2 David Walser 2018-02-23 13:21:04 CET 
Mageia 6 update hasn't been pushed yet.

Assignee: qa-bugs => lists.jjorge
Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)

José Jorge 2018-02-23 13:40:25 CET

Assignee: lists.jjorge => qa-bugs

Comment 3 José Jorge 2018-02-23 13:40:50 CET 
(In reply to David Walser from comment #2)
> Mageia 6 update hasn't been pushed yet.

You are right, now it is pushed.
Comment 4 David Walser 2018-02-23 13:53:02 CET 
Advisory:
========================

Updated phpmyadmin package fixes security vulnerability:

A self-cross site scripting (XSS) vulnerability has been reported relating to
the central columns feature (CVE-2018-7260).

References:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7260
https://www.phpmyadmin.net/security/PMASA-2018-1/
https://www.phpmyadmin.net/files/4.7.8/
https://www.phpmyadmin.net/news/2018/2/20/security-fix-phpmyadmin-478-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-1.mga6

from phpmyadmin-4.7.8-1.mga6.src.rpm
Comment 5 claire robinson 2018-02-28 17:21:25 CET 
Advisory uploaded.

Keywords: (none) => advisory

Comment 6 Lewis Smith 2018-03-02 10:32:07 CET 
Testing M6/64

AFTER update to: phpmyadmin-4.7.8-1.mga6
 http://localhost/phpmyadmin
Chose UK English language at login, created a database, one table, 4 different fields, first made unique & index, inserted rows, edited data, deleted by row, deleted table, deleted the DB. All looks OK, so OKing & validating the update as it has nothing to do with the current Qt update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-64-OK
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-04 00:41:57 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0156.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.