Bug 29931 - phpmyadmin: update to latest version 5.1.2
Summary: phpmyadmin: update to latest version 5.1.2
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-23 12:40 CET by Marc Krämer
Modified: 2023-02-15 18:11 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin
CVE: CVE-2022-23807, CVE-2022-23808.
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Marc Krämer 2022-01-23 12:40:38 CET 
some security issues have been identified and corrected

https://www.phpmyadmin.net/news/2022/1/22/phpmyadmin-498-512-and-520-rc1-are-released/
Comment 1 Marc Krämer 2022-01-23 12:43:51 CET 
Updated phpmyadmin package fix security vulnerabilities:

A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1).

A series of weaknesses was identified allowing a malicious user to submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2).

In some scenarios, potentially sensitive information such as a the database name can be part of the URL. This can now be optionally encrypted.

During a failed log on attempt, the error message reveals the target database server's hostname or IP address. This can reveal some information about the network infrastructure to an attacker.

Fixed some situations where a user is logged out when working with more than one server

Fixed a problem with assigning privileges to a user using the multiselect list when the database name has an underscore

Enable cookie parameter "SameSite" when the PHP version is 7.3 or newer.

References:
https://www.phpmyadmin.net/news/2022/1/22/phpmyadmin-498-512-and-520-rc1-are-released/
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-5.1.2-1.mga8.noarch.rpm

SRPM:
phpmyadmin-5.1.2-1.mga8.src.rpm
Marc Krämer 2022-01-23 12:43:59 CET

Assignee: mageia => qa-bugs

Comment 2 David Walser 2022-01-23 13:17:35 CET 
You should use the CVE identifiers for the security issues.  Additional references:
https://www.phpmyadmin.net/security/PMASA-2022-1/
https://www.phpmyadmin.net/security/PMASA-2022-2/
Comment 3 Herman Viaene 2022-01-24 15:51:14 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues
Using php 8.0.4, worked OK
Deleted previous test database, inserted new table with 4 columns, a PK and one unique keyand a timestamp. Filled in a few values, all OK.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA8-64-OK

Comment 4 Thomas Andrews 2022-01-24 21:05:10 CET 
Validating. Advisory in Comment 1.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-01-24 23:34:29 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 5 Mageia Robot 2022-01-25 13:14:40 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0036.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 6 David Walser 2023-02-15 17:55:42 CET 
(In reply to David Walser from comment #2)
> You should use the CVE identifiers for the security issues.  Additional
> references:
> https://www.phpmyadmin.net/security/PMASA-2022-1/
> https://www.phpmyadmin.net/security/PMASA-2022-2/

These now have CVE-2022-23807 and CVE-2022-23808.
Comment 7 Marc Krämer 2023-02-15 17:58:34 CET 
The time it was written, no CVE was assigned.
Marc Krämer 2023-02-15 17:59:05 CET

CVE: (none) => CVE-2022-23807, CVE-2022-23808.

Comment 8 David Walser 2023-02-15 18:11:15 CET 
Yes, that's why I updated the bug now.
Note You need to log in before you can comment on or make changes to this bug.