Upstream has issued an advisory on October 28: https://www.phpmyadmin.net/security/PMASA-2019-5/ The issue is fixed upstream in 4.9.2: https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/ Mageia 7 is also affected.
Whiteboard: (none) => MGA7TOO
Assigning to the registered maintainer.
Assignee: bugsquad => mageia
Severity: major => normal
Severity: normal => major
Marc uploaded phpmyadmin-4.9.2-1.mga8 for Cauldron.
Whiteboard: MGA7TOO => (none)Version: Cauldron => 7
@David: this is not very severe. This issue is kind of hypothetic. But I'll push a new version to mga7 after testing cauldron.
It wasn't real clear that upstream calling it "serious" meant low severity, but it looks like you're right.
Updated phpmyadmin packages fix security vulnerabilitiy: SQL injection in Designer feature. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2019-18622 Updated packages in core/updates_testing: ======================== phpmyadmin-4.9.2-1.mga7.noarch.rpm SRPM: phpmyadmin-4.9.2-1.mga7.src.rpm
QA Contact: security => qa-bugs
This update also fixes CVE-2019-12922: https://lists.opensuse.org/opensuse-updates/2019-09/msg00162.html
openSUSE advisory for CVE-2019-18622: https://lists.opensuse.org/opensuse-updates/2019-12/msg00003.html
missed to assign it to qa. Advidory in comment #5
Assignee: mageia => qa-bugs
Installed and tested without issues. Tested by normal usage and extra testing on a local host and a remote host, using a ssh tunnel. No issues or regressions. System: Mageia 7, x86_64, Apache, MariaDB, Firefox, Chromium, Intel CPU. $ uname -a Linux marte 5.3.13-desktop-2.mga7 #1 SMP Mon Nov 25 20:30:40 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux $ rpm -q phpmyadmin apache mariadb phpmyadmin-4.9.2-1.mga7 apache-2.4.39-1.mga7 mariadb-10.3.20-1.mga7
Whiteboard: (none) => MGA7-64-OKCC: (none) => mageia
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0357.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
This update also fixes CVE-2019-19617: https://www.debian.org/lts/security/2019/dla-2024