Bug 24238 - phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799
Summary: phpmyadmin new security issues CVE-2019-6798 and CVE-2019-6799
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-01-26 12:13 CET by David Walser
Modified: 2019-01-30 20:41 CET (History)
5 users (show)

See Also:
Source RPM: phpmyadmin-4.8.4-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2019-01-26 12:13:37 CET
phpMyAdmin 4.8.5 has been released today (January 26), fixing security issues:
https://www.phpmyadmin.net/news/2019/1/26/security-fix-phpmyadmin-485-released/
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Mageia 6 is also affected.
David Walser 2019-01-26 12:13:43 CET

Whiteboard: (none) => MGA6TOO

Comment 1 Marc Krämer 2019-01-28 14:33:12 CET
Suggested advisory:
========================

Updated phpmyadmin packages fix security vulnerabilities:

- Possible SQL injection in Designer feature
- When AllowArbitraryServer configuration set to true, with the use of a rogue MySQL server, an attacker can read any file on the server that the web server's user can access.


References:
https://www.phpmyadmin.net/security/PMASA-2019-1/
https://www.phpmyadmin.net/security/PMASA-2019-2/

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-4.mga6

SRPM:
phpmyadmin-4.7.8-4.mga6.src.rpm

Assignee: php => qa-bugs
Whiteboard: MGA6TOO => (none)
CC: (none) => mageia
Version: Cauldron => 6

Comment 2 Herman Viaene 2019-01-29 10:00:01 CET
MGA6-32 MATE on IBM Thinkpad R50e
No installation issues, apart from the fact that mysql was not yet installed. I had to initiate this installation.
At CLI:
# systemctl  start httpd
# systemctl  start mysqld
# mysql_secure_installation 

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user.  If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
etc .... 


to get a working mysql 
Then run phpmyadmin in the browser, create a new database and a new table with PK and unique key.
All OK.

Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene

Comment 3 PC LX 2019-01-29 13:41:09 CET
Installed and tested without issues.

Tests included:
- Browsing databases, tables and data;
- Creating a test table;
- Inserting, updating and deleting rows;
- Executing several SQL queries;

System: Mageia 6, x86_64, Apache, MariaDB, Intel CPU.

$ uname -a
Linux marte 4.14.89-desktop-1.mga6 #1 SMP Mon Dec 17 13:14:48 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q apache ; rpm -q mariadb
apache-2.4.37-1.2.mga6
mariadb-10.1.37-1.mga6

CC: (none) => mageia
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 4 Lewis Smith 2019-01-29 20:16:39 CET
Thank you both for the quick work. Hard to keep up...

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 5 Mageia Robot 2019-01-30 20:41:04 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0057.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.