new version release fixes 2 security issues: PMASA-2020-5 XSS vulnerability with transformation feature PMASA-2020-6 SQL injection vulnerability with the search feature https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/
Updated phpmyadmin packages fix security vulnerabilities: - PMASA-2020-5 XSS vulnerability with transformation feature - PMASA-2020-6 SQL injection vulnerability with the search feature References: https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.9.6-1.mga7.noarch.rpm SRPM: phpmyadmin-4.9.6-1.mga7.src.rpm
Assignee: mageia => qa-bugs
MGA7-64 Plasma on Lenovo B50 No installation issues After starting mysqld and httpd, started phpmyadmin, logged in as known user from previous installations. Deleted existing test database, create a new one, in this one a new table with a primary index (serial type), unique index on varchar field, other varchar field, field with timestamp. All works OK.
Whiteboard: (none) => MGA7-64-OKCC: (none) => herman.viaene
Please always CVEs to the phpmyadmin advisories. Upstream advisories usually have them. CVE-2020-26934 and CVE-2020-26935 in this case: https://www.phpmyadmin.net/security/PMASA-2020-5/ https://www.phpmyadmin.net/security/PMASA-2020-6/
Summary: phpmyadmin: security fixes => phpmyadmin new security issues CVE-2020-26934 and CVE-2020-26935
@David: the time I was writing, they do not have CVE's...
Updated phpmyadmin packages fix security vulnerabilities: A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. (CVE-2020-26934) An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.(CVE-2020-26935) References: https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/ https://www.phpmyadmin.net/security/PMASA-2020-5/ https://www.phpmyadmin.net/security/PMASA-2020-6/ ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-4.9.6-1.mga7.noarch.rpm SRPM: phpmyadmin-4.9.6-1.mga7.src.rpm Validating and advisory done.
CC: (none) => ouaurelien
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0383.html
Status: NEW => RESOLVEDResolution: (none) => FIXED