Bug 23227 - phpmyadmin new security issue CVE-2018-12581
Summary: phpmyadmin new security issue CVE-2018-12581
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-24 23:12 CEST by David Walser
Modified: 2018-07-01 19:18 CEST (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.7.8-1.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 4.8.2


Attachments

Description David Walser 2018-06-24 23:12:22 CEST
Upstream has issued an advisory on June 19:
https://www.phpmyadmin.net/security/PMASA-2018-3/

The issue is fixed in 4.8.2:
https://www.phpmyadmin.net/news/2018/6/21/security-fix-phpmyadmin-482-released/

Mageia 5 is also affected (but doesn't need to be updated).

Now you can update it :o)
Comment 1 David Walser 2018-06-24 23:12:44 CEST
openSUSE has issued an advisory for this on June 23:
https://lists.opensuse.org/opensuse-updates/2018-06/msg00129.html

Status comment: (none) => Fixed upstream in 4.8.2

Comment 2 Marc Krämer 2018-06-25 01:51:15 CEST
hmm. I have to have a closer look at this.
4.8.x has some major changes. Since this is only moderate, maybe we won't fix it.
Comment 3 David Walser 2018-06-25 02:05:37 CEST
Moderate doesn't mean not important, and if 4.8.x is all that's supported, then it is what it is.
Comment 4 Marc Krämer 2018-06-27 02:08:32 CEST
Updated phpmyadmin package fix security vulnerability:

A Cross-Site Scripting vulnerability was found in the Designer feature, where an attacker can deliver a payload to a user through a specially-crafted database name.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12581
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-2.mga6.noarch.rpm

Source RPMs: 
phpmyadmin-4.7.8-2.mga6.src.rpm
Marc Krämer 2018-06-27 02:08:47 CEST

Assignee: mageia => qa-bugs

Comment 5 Herman Viaene 2018-06-29 11:21:23 CEST
Hmmm, I have already version 4.8.0.1 installed on this laptop and as far as I can see in MCC this is an officially supported version.We are not going backwards???

CC: (none) => herman.viaene

Comment 6 William Kenney 2018-06-29 22:13:44 CEST
In VirtualBox, M6, MATE, 32-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.33-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.8-1.mga6.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.33-1.mga6.i586 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.8-2.mga6.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can access db's test01 & test02

CC: (none) => wilcal.int

William Kenney 2018-06-29 22:14:24 CEST

Whiteboard: (none) => MGA6-32-OK

Comment 7 William Kenney 2018-06-29 22:32:55 CEST
In VirtualBox, M6, MATE, 64-bit

Package(s) under test:
mariadb phpmyadmin

default install of mariadb & phpmyadmin

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.33-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.8-1.mga6.noarch is already installed

start mysqladmin, set password to "mytest"
open http://localhost/phpmyadmin/
create new database called test01. Close browser.
Successfully reopen: http://localhost/phpmyadmin/

install phpmyadmin from updates_testing

[root@localhost wilcal]# urpmi mariadb
Package mariadb-10.1.33-1.mga6.x86_64 is already installed
[root@localhost wilcal]# urpmi phpmyadmin
Package phpmyadmin-4.7.8-2.mga6.noarch is already installed

open http://localhost/phpmyadmin/
create new database called test02. Close browser.
Successfully reopen: http://localhost/phpmyadmin/
I can access db's test01 & test02
William Kenney 2018-06-29 22:33:24 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2018-06-30 04:29:56 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 8 Mageia Robot 2018-07-01 19:18:40 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0304.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.