24238 – phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799

Bug 24238 - phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799

Summary: phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: critical
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA6-32-OK MGA6-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2019-01-26 12:13 CET by David Walser
Modified:	2019-01-30 20:41 CET (History)
CC List:	5 users (show)

See Also:
Source RPM:	phpmyadmin-4.8.4-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-01-26 12:13:37 CET

phpMyAdmin 4.8.5 has been released today (January 26), fixing security issues:
https://www.phpmyadmin.net/news/2019/1/26/security-fix-phpmyadmin-485-released/
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Mageia 6 is also affected.

David Walser 2019-01-26 12:13:43 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2019-01-28 14:33:12 CET

Suggested advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

- Possible SQL injection in Designer feature
- When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access.


References:
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-4.mga6

SRPM:
phpmyadmin-4.7.8-4.mga6.src.rpm

Whiteboard: MGA6TOO => (none)
CC: (none) => mageia
Version: Cauldron => 6
Assignee: php => qa-bugs

Comment 2 Herman Viaene 2019-01-29 10:00:01 CET

MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, apart from the fact that mysql was not yet installed. I had to initiate this installation.
At CLI:
# systemctl  start httpd
# systemctl  start mysqld
# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
etc .... 


to get a working mysql 
Then run phpmyadmin in the browser, create a new database and a new table with PK and unique key.
All OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 3 PC LX 2019-01-29 13:41:09 CET

Installed and tested without issues.

Tests included:
- Browsing databases, tables and data;
- Creating a test table;
- Inserting, updating and deleting rows;
- Executing several SQL queries;

System: Mageia 6, x86_64, Apache, MariaDB, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q apache ; rpm -q mariadb
apache-2.4.37-1.2.mga6
mariadb-10.1.37-1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 4 Lewis Smith 2019-01-29 20:16:39 CET

Thank you both for the quick work. Hard to keep up...

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-30 20:41:04 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0057.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.