Upstream has issued an advisory on June 19: https://www.phpmyadmin.net/security/PMASA-2018-3/ The issue is fixed in 4.8.2: https://www.phpmyadmin.net/news/2018/6/21/security-fix-phpmyadmin-482-released/ Mageia 5 is also affected (but doesn't need to be updated). Now you can update it :o)
openSUSE has issued an advisory for this on June 23: https://lists.opensuse.org/opensuse-updates/2018-06/msg00129.html
Status comment: (none) => Fixed upstream in 4.8.2
hmm. I have to have a closer look at this. 4.8.x has some major changes. Since this is only moderate, maybe we won't fix it.
Moderate doesn't mean not important, and if 4.8.x is all that's supported, then it is what it is.
Updated phpmyadmin package fix security vulnerability: A Cross-Site Scripting vulnerability was found in the Designer feature, where an attacker can deliver a payload to a user through a specially-crafted database name. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12581 ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.7.8-2.mga6.noarch.rpm Source RPMs: phpmyadmin-4.7.8-2.mga6.src.rpm
Assignee: mageia => qa-bugs
Hmmm, I have already version 4.8.0.1 installed on this laptop and as far as I can see in MCC this is an officially supported version.We are not going backwards???
CC: (none) => herman.viaene
In VirtualBox, M6, MATE, 32-bit Package(s) under test: mariadb phpmyadmin default install of mariadb & phpmyadmin [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.33-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.8-1.mga6.noarch is already installed start mysqladmin, set password to "mytest" open http://localhost/phpmyadmin/ create new database called test01. Close browser. Successfully reopen: http://localhost/phpmyadmin/ install phpmyadmin from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.33-1.mga6.i586 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.8-2.mga6.noarch is already installed open http://localhost/phpmyadmin/ create new database called test02. Close browser. Successfully reopen: http://localhost/phpmyadmin/ I can access db's test01 & test02
CC: (none) => wilcal.int
Whiteboard: (none) => MGA6-32-OK
In VirtualBox, M6, MATE, 64-bit Package(s) under test: mariadb phpmyadmin default install of mariadb & phpmyadmin [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.33-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.8-1.mga6.noarch is already installed start mysqladmin, set password to "mytest" open http://localhost/phpmyadmin/ create new database called test01. Close browser. Successfully reopen: http://localhost/phpmyadmin/ install phpmyadmin from updates_testing [root@localhost wilcal]# urpmi mariadb Package mariadb-10.1.33-1.mga6.x86_64 is already installed [root@localhost wilcal]# urpmi phpmyadmin Package phpmyadmin-4.7.8-2.mga6.noarch is already installed open http://localhost/phpmyadmin/ create new database called test02. Close browser. Successfully reopen: http://localhost/phpmyadmin/ I can access db's test01 & test02
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0304.html
Status: NEW => RESOLVEDResolution: (none) => FIXED