Bug 23479 - phpmyadmin new security issue CVE-2018-15605
Summary: phpmyadmin new security issue CVE-2018-15605
Status: RESOLVED INVALID
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Marc Krämer
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-23 12:39 CEST by David Walser
Modified: 2018-10-27 14:04 CEST (History)
3 users (show)

See Also:
Source RPM: phpmyadmin-4.8.2-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-08-23 12:39:57 CEST
Upstream has issued an advisory on August 21:
https://www.phpmyadmin.net/security/PMASA-2018-5/

The issue is fixed upstream in 4.8.3:
https://www.phpmyadmin.net/news/2018/8/22/security-fix-phpmyadmin-483-released/

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-08-23 12:40:07 CEST

Whiteboard: (none) => MGA6TOO

Comment 1 Marja Van Waes 2018-08-23 22:31:30 CEST
Assigning to the registered maintainer.

Assignee: bugsquad => mageia
CC: (none) => marja11

Comment 2 David Walser 2018-08-24 14:04:12 CEST
Fixed in Cauldron by Marc.

Whiteboard: MGA6TOO => (none)
Version: Cauldron => 6

Comment 3 Marc Krämer 2018-08-24 20:52:21 CEST
since this issue is not severe and the patch is not applicable to our version, I won't fix it for mga6.
Comment 4 Thomas Backlund 2018-08-24 20:58:09 CEST
Since phpmyadmin is a standalone package I think you can simply update to latest version, somewhat like what we mostly do for php...

CC: (none) => tmb

Comment 5 Marc Krämer 2018-08-24 21:19:20 CEST
@Thomas: no, this version has still issues that affect the normal workflow.
I'll have to make some more testing on the latest version, but this update has to many changes.
Comment 6 David Walser 2018-08-28 22:51:13 CEST
openSUSE has issued an advisory for this on August 27:
https://lists.opensuse.org/opensuse-updates/2018-08/msg00158.html
Comment 7 Marc Krämer 2018-10-26 15:34:40 CEST
Suggested advisory:
========================
Updated phpymadmin packages fix security vulnerabilities:

A Cross-Site Scripting vulnerability was found in the file import feature, where an attacker can deliver a payload to a user through importing a specially-crafted file.
We ship the current stable version of phpmyadmin.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15605
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.8.3-5.mga7.noarch.rpm

Source:
phpmyadmin-4.8.3-5.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 8 David Walser 2018-10-26 16:07:20 CEST
Links in Comment 0 should also be in the advisory references, and the updated package is actually:
phpmyadmin-4.8.3-1.mga6

from phpmyadmin-4.8.3-1.mga6.src.rpm
Comment 9 Marc Krämer 2018-10-27 11:30:38 CEST
Sorry, I'll have to revert that update.
We'll have to stay with 4.7.x since 4.8 officially requires PHP 7.1 .
So, instead of updating, I'll apply the patch. I don't want to have trouble with releases PHP 5.6, even if it runs.

CC: (none) => mageia
Assignee: qa-bugs => mageia

Comment 10 Marc Krämer 2018-10-27 11:44:53 CEST
I'll skip this patch. The patch is only valid for 4.8.x and the structures totally changed. I'm not really sure, if 4.7 is really affected. And even phpmyadmin guy say "We consider this attack to be of moderate severity.", which is my opinion too.

When we push php7 to mga6, we can do this update as well. I'll close it for now.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 11 David Walser 2018-10-27 14:04:34 CEST
It sounds like 4.7 isn't affected then.

Resolution: WONTFIX => INVALID


Note You need to log in before you can comment on or make changes to this bug.