Bug 27379 - phpmyadmin new security issues CVE-2020-26934 and CVE-2020-26935
Summary: phpmyadmin new security issues CVE-2020-26934 and CVE-2020-26935
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-10-10 13:39 CEST by Marc Krämer
Modified: 2020-10-16 17:46 CEST (History)
3 users (show)

See Also:
Source RPM: phpmyadmin
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2020-10-10 13:39:12 CEST 
new version release fixes 2 security issues:
PMASA-2020-5 XSS vulnerability with transformation feature
PMASA-2020-6 SQL injection vulnerability with the search feature

https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/
Comment 1 Marc Krämer 2020-10-10 13:43:08 CEST 
Updated phpmyadmin packages fix security vulnerabilities:

- PMASA-2020-5 XSS vulnerability with transformation feature
- PMASA-2020-6 SQL injection vulnerability with the search feature

References:
https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.9.6-1.mga7.noarch.rpm

SRPM:
phpmyadmin-4.9.6-1.mga7.src.rpm

Assignee: mageia => qa-bugs

Comment 2 Herman Viaene 2020-10-11 16:55:50 CEST 
MGA7-64 Plasma on Lenovo B50
No installation issues
After starting mysqld and httpd, started phpmyadmin, logged in as known user from previous installations. Deleted existing test database, create a new one, in this one a new table with a primary index (serial type), unique index on varchar field, other varchar field, field with timestamp.
All works OK.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => herman.viaene

Comment 3 David Walser 2020-10-13 21:51:44 CEST 
Please always CVEs to the phpmyadmin advisories.  Upstream advisories usually have them.  CVE-2020-26934 and CVE-2020-26935 in this case:
https://www.phpmyadmin.net/security/PMASA-2020-5/
https://www.phpmyadmin.net/security/PMASA-2020-6/

Summary: phpmyadmin: security fixes => phpmyadmin new security issues CVE-2020-26934 and CVE-2020-26935

Comment 4 Marc Krämer 2020-10-14 10:38:55 CEST 
@David: the time I was writing, they do not have CVE's...
Comment 5 Aurelien Oudelet 2020-10-15 16:02:38 CEST 
Updated phpmyadmin packages fix security vulnerabilities:

A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. (CVE-2020-26934)

An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query.(CVE-2020-26935)

References:
https://www.phpmyadmin.net/news/2020/10/10/phpmyadmin-496-and-503-are-released/
https://www.phpmyadmin.net/security/PMASA-2020-5/
https://www.phpmyadmin.net/security/PMASA-2020-6/

========================

Updated packages in core/updates_testing:
========================
phpmyadmin-4.9.6-1.mga7.noarch.rpm

SRPM:
phpmyadmin-4.9.6-1.mga7.src.rpm


Validating and advisory done.

CC: (none) => ouaurelien

Aurelien Oudelet 2020-10-15 16:02:50 CEST

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2020-10-16 17:46:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0383.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.