two security issues were discovered in phpmyadmin: https://www.phpmyadmin.net/security/PMASA-2019-3/ https://www.phpmyadmin.net/security/PMASA-2019-4/
Updated phpmyadmin packages fix security vulnerabilities: A vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. (PMASA-2019-3) A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin user. The attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpMyAdmin database, and the attacker can potentially deliver a payload (such as a specific INSERT or DELETE statement) through the victim. (PMASA-2019-4) References: https://www.phpmyadmin.net/security/PMASA-2019-3/ https://www.phpmyadmin.net/security/PMASA-2019-4/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.7.8-5.mga6.noarch.rpm Source RPMs: phpmyadmin-4.7.8-5.mga6.src.rpm
Assignee: mageia => qa-bugs
These issues also affect Cauldron/Mageia 7 and need to be fixed there as well.
Keywords: (none) => feedbackQA Contact: (none) => securityComponent: RPM Packages => Security
Severity: normal => criticalStatus comment: (none) => Fixed upstream in 4.9.0
already put a freeze push request for cauldron
Installed and tested without issues. Normal use and some extra testing revealed no issues. System: Mageia 6, x86_64, Apache, MariaDB, Firefox, Chromium, Intel CPU. $ uname -a Linux marte 4.14.121-desktop-1.mga6 #1 SMP Wed May 22 12:26:58 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q phpmyadmin apache mariadb phpmyadmin-4.7.8-5.mga6 apache-2.4.38-1.mga6 mariadb-10.1.39-1.mga6
Whiteboard: (none) => MGA6-64-OKCC: (none) => mageia
phpmyadmin-4.9.0.1-1.mga7 has been pushed in Cauldron. Thanks.
Keywords: feedback => (none)
Validating. Advisory information in Comment 1.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0200.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
Summary: Security issues on phpmyadmin => Security issues on phpmyadmin (CVE-2019-11768 and CVE-2019-12616)