Bug 24905 - Security issues on phpmyadmin (CVE-2019-11768 and CVE-2019-12616)
Summary: Security issues on phpmyadmin (CVE-2019-11768 and CVE-2019-12616)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2019-06-05 00:13 CEST by Marc Krämer
Modified: 2019-11-26 14:15 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin-4.7.8-4.mga6.src.rpm
CVE:
Status comment: Fixed upstream in 4.9.0

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2019-06-05 00:13:40 CEST 
two security issues were discovered in phpmyadmin:
https://www.phpmyadmin.net/security/PMASA-2019-3/
https://www.phpmyadmin.net/security/PMASA-2019-4/
Comment 1 Marc Krämer 2019-06-05 00:21:51 CEST 
Updated phpmyadmin packages fix security vulnerabilities:
A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. (PMASA-2019-3)

A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. (PMASA-2019-4)



References:
https://www.phpmyadmin.net/security/PMASA-2019-3/
https://www.phpmyadmin.net/security/PMASA-2019-4/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.7.8-5.mga6.noarch.rpm

Source RPMs: 
phpmyadmin-4.7.8-5.mga6.src.rpm

Assignee: mageia => qa-bugs

Comment 2 David Walser 2019-06-05 13:02:25 CEST 
These issues also affect Cauldron/Mageia 7 and need to be fixed there as well.

Keywords: (none) => feedback
QA Contact: (none) => security
Component: RPM Packages => Security

David Walser 2019-06-05 13:03:52 CEST

Severity: normal => critical
Status comment: (none) => Fixed upstream in 4.9.0

Comment 3 Marc Krämer 2019-06-05 14:19:52 CEST 
already put a freeze push request for cauldron
Comment 4 PC LX 2019-06-10 11:13:35 CEST 
Installed and tested without issues.

Normal use and some extra testing revealed no issues.

System: Mageia 6, x86_64, Apache, MariaDB, Firefox, Chromium, Intel CPU.

$ uname -a
Linux marte 4.14.121-desktop-1.mga6 #1 SMP Wed May 22 12:26:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -q phpmyadmin apache mariadb
phpmyadmin-4.7.8-5.mga6
apache-2.4.38-1.mga6
mariadb-10.1.39-1.mga6

Whiteboard: (none) => MGA6-64-OK
CC: (none) => mageia

Comment 5 David Walser 2019-06-11 04:25:41 CEST 
phpmyadmin-4.9.0.1-1.mga7 has been pushed in Cauldron.  Thanks.

Keywords: feedback => (none)

Comment 6 Thomas Andrews 2019-06-21 02:13:37 CEST 
Validating. Advisory information in Comment 1.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Thomas Backlund 2019-06-21 02:29:38 CEST

CC: (none) => tmb
Keywords: (none) => advisory

Comment 7 Mageia Robot 2019-06-21 03:08:24 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0200.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

David Walser 2019-11-26 14:15:30 CET

Summary: Security issues on phpmyadmin => Security issues on phpmyadmin (CVE-2019-11768 and CVE-2019-12616)
Note You need to log in before you can comment on or make changes to this bug.