Bug 24012 - phpmyadmin new security issues CVE-2018-1996[89] and CVE-2018-19970
Summary: phpmyadmin new security issues CVE-2018-1996[89] and CVE-2018-19970
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-12-15 17:53 CET by David Walser
Modified: 2018-12-20 21:18 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.8.3-6.mga7.src.rpm
CVE:
Status comment:


Attachments

David Walser 2018-12-15 17:53:20 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2018-12-15 20:44:11 CET
yepp, but phpmyadmin >4.8.0 only supports php >7
I'll have to look if we can adapt the patches...

CC: (none) => mageia

Comment 2 Marc Krämer 2018-12-15 21:46:28 CET
ok, I'll patch CVE-2018-19970, CVE-2018-19968, waiting for admins to remove testpackage of 4.8.3 from updates testing.
Comment 3 Marc Krämer 2018-12-16 14:21:16 CET
Patched phpmyadmin packages to fix security vulnerabilities:
- XSS vulnerability in navigation tree was discovered
- Local file inclusion through transformation feature


References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19970
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19968
https://www.phpmyadmin.net/security/PMASA-2018-6/
https://www.phpmyadmin.net/security/PMASA-2018-8/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-3.mga6.noarch.rpm

Source RPMs: 
phpmyadmin-4.7.8-3.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: php => qa-bugs

Comment 4 Herman Viaene 2018-12-17 11:20:43 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues.
Checked httpd and mysqld are running.
Point to http://localhost/phpmyadmin/ , delete previous test database, create a new one, create a new table in it. 
Closed phpmyadmin and opened it again. All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 5 Lewis Smith 2018-12-19 12:21:11 CET
Thanks yet again, Herman. Validating; & advisory from comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2018-12-20 21:18:30 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0486.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.