Upstream has issued an advisory on August 21: https://www.phpmyadmin.net/security/PMASA-2018-5/ The issue is fixed upstream in 4.8.3: https://www.phpmyadmin.net/news/2018/8/22/security-fix-phpmyadmin-483-released/ Mageia 5 and Mageia 6 are also affected.
Whiteboard: (none) => MGA6TOO
Assigning to the registered maintainer.
Assignee: bugsquad => mageiaCC: (none) => marja11
Fixed in Cauldron by Marc.
Version: Cauldron => 6Whiteboard: MGA6TOO => (none)
since this issue is not severe and the patch is not applicable to our version, I won't fix it for mga6.
Since phpmyadmin is a standalone package I think you can simply update to latest version, somewhat like what we mostly do for php...
CC: (none) => tmb
@Thomas: no, this version has still issues that affect the normal workflow. I'll have to make some more testing on the latest version, but this update has to many changes.
openSUSE has issued an advisory for this on August 27: https://lists.opensuse.org/opensuse-updates/2018-08/msg00158.html
Suggested advisory: ======================== Updated phpymadmin packages fix security vulnerabilities: A Cross-Site Scripting vulnerability was found in the file import feature, where an attacker can deliver a payload to a user through importing a specially-crafted file. We ship the current stable version of phpmyadmin. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15605 ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.8.3-5.mga7.noarch.rpm Source: phpmyadmin-4.8.3-5.mga7.src.rpm
Assignee: mageia => qa-bugs
Links in Comment 0 should also be in the advisory references, and the updated package is actually: phpmyadmin-4.8.3-1.mga6 from phpmyadmin-4.8.3-1.mga6.src.rpm
Sorry, I'll have to revert that update. We'll have to stay with 4.7.x since 4.8 officially requires PHP 7.1 . So, instead of updating, I'll apply the patch. I don't want to have trouble with releases PHP 5.6, even if it runs.
CC: (none) => mageiaAssignee: qa-bugs => mageia
I'll skip this patch. The patch is only valid for 4.8.x and the structures totally changed. I'm not really sure, if 4.7 is really affected. And even phpmyadmin guy say "We consider this attack to be of moderate severity.", which is my opinion too. When we push php7 to mga6, we can do this update as well. I'll close it for now.
Resolution: (none) => WONTFIXStatus: NEW => RESOLVED
It sounds like 4.7 isn't affected then.
Resolution: WONTFIX => INVALID