The respective versions are: 3.3.10-2.mga1 3.4.8-0.1mdv2010.2 This should be updated so that upgrading from MDV 2010.2 works as expected. I filed this under security because it's phpmyadmin, so there are probably several security fixes in the newer version, and this is a notoriously insecure piece of software.
So after a quick check we have (at least) 4 security issue: http://www.phpmyadmin.net/home_page/security/PMASA-2011-9.php CVE-2011-2642 http://www.phpmyadmin.net/home_page/security/PMASA-2011-12.php CVE-2011-2719 http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php CVE-2011-3181 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php CVE-2011-4107
Assignee: bugsquad => lists.jjorgeSummary: phpmyadmin is newer in MDV 2010.2 (contrib) updates than Mageia 1 => missing security updates: phpmyadmin (CVE-2011-2642 CVE-2011-2719 CVE-2011-3181 CVE-2011-4107 )
Upstream version 3.3.10.5 pushed to updates testing fixing all this security issues. Thanks for the bug report, and please test.
Status: NEW => ASSIGNED
As for 3.4.8-0.1mdv2010.2, it is Mandriva policy to push new versions as updates, I think we should not follow it as long as 3.3.10 version is maintained upstream.
It is Mageia policy that upgrading from MDV 2010.2 is supported, so if there is a package with a newer version there, it has to be upgraded in Mageia 1. If there's a *really* good reason to not upgrade it, it should be mentioned in the Release Notes.
MDV version is now 3.4.9-0.1mdv2010.2 We really need to keep this in line with MDV, because we expect many users to be upgrading to Mageia 1 from MDV 2010.2. If our phpmyadmin package is older, it will not be installed and the MDV package will remain on a user's system. Then, they will not receive any security updates from us because ours is an older version, and they will not receive any security updates from MDV because they are no longer connected to MDV's repositories. This would really not be good. For future Mageia releases, if you want to stick with older branches that are still maintained, that sounds like a good idea.
OK, it was just submitted.
Assignee: lists.jjorge => qa-bugs
Jose could you please supply an update advisory with all the CVE's you've patched and anything else you've done. Please see https://wiki.mageia.org/en/Updates_policy#Maintainer_.28or_any_interested_packager.29 Thankyou :)
No POC's I could find. CVE-2011-4017 does have one but it requires metasploit to use http://www.securityfocus.com/bid/50497/exploit
Pinging José for an advisory please. Thanks :)
There are a significant number of CVEs that are relevant here. The last three Mandriva security advisories from MES5 are relevant to our update: http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:124 http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:158 http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:198 Using those as a reference, I believe the following advisory contains all of the CVEs our mga1 version is affected by. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a remote variable manipulation vulnerability. (CVE-2011-2505). setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array (CVE-2011-2506). libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array (CVE-2011-2507). Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][->name][transformation] parameter (CVE-2011-2508). Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name (CVE-2011-2642). Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter (CVE-2011-2643). Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php (CVE-2011-2718). libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505 (CVE-2011-2719). Missing sanitization on the table, column and index names leads to XSS vulnerabilities. Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities (CVE-2011-3181). Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server) (CVE-2011-4107). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2719 http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3181 http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:198 ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.4.9-1.mga1 from phpmyadmin-3.4.9-1.mga1.src.rpm
Testing complete on i586.
CC: (none) => davidwhodgins
The updated config.php blanks the blowfish secret but with MageiaUpdate it does allow you to compare the updated version to the old one before hand and use either. I notice on fresh installation (and possibly urpmi updating too) a %post script takes care of generating a random key, could this be made more intelligent - if it exists, keep it?
Thinking about it, that is probably just a limitation of MageiaUpdate.
As this is a version upgrade just testing functionality rather than patches. Tested OK x86_64 Advisory: (Thankyou David!) ======================== Updated phpmyadmin package fixes security vulnerabilities and enables upgrade from Mandriva 2010: libraries/auth/swekey/swekey.auth.lib.php in the Swekey authentication feature in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 assigns values to arbitrary parameters referenced in the query string, which allows remote attackers to modify the SESSION superglobal array via a crafted request, related to a remote variable manipulation vulnerability. (CVE-2011-2505). setup/lib/ConfigGenerator.class.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly restrict the presence of comment closing delimiters, which allows remote attackers to conduct static code injection attacks by leveraging the ability to modify the SESSION superglobal array (CVE-2011-2506). libraries/server_synchronize.lib.php in the Synchronize implementation in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1 does not properly quote regular expressions, which allows remote authenticated users to inject a PCRE e (aka PREG_REPLACE_EVAL) modifier, and consequently execute arbitrary PHP code, by leveraging the ability to modify the SESSION superglobal array (CVE-2011-2507). Directory traversal vulnerability in libraries/display_tbl.lib.php in phpMyAdmin 3.x before 3.3.10.2 and 3.4.x before 3.4.3.1, when a certain MIME transformation feature is enabled, allows remote authenticated users to include and execute arbitrary local files via a .. (dot dot) in a GLOBALS[mime_map][->name][transformation] parameter (CVE-2011-2508). Multiple cross-site scripting (XSS) vulnerabilities in the table Print view implementation in tbl_printview.php in phpMyAdmin before 3.3.10.3 and 3.4.x before 3.4.3.2 allow remote authenticated users to inject arbitrary web script or HTML via a crafted table name (CVE-2011-2642). Directory traversal vulnerability in sql.php in phpMyAdmin 3.4.x before 3.4.3.2, when configuration storage is enabled, allows remote attackers to include and execute arbitrary local files via directory traversal sequences in a MIME-type transformation parameter (CVE-2011-2643). Multiple directory traversal vulnerabilities in the relational schema implementation in phpMyAdmin 3.4.x before 3.4.3.2 allow remote authenticated users to include and execute arbitrary local files via directory traversal sequences in an export type field, related to (1) libraries/schema/User_Schema.class.php and (2) schema_export.php (CVE-2011-2718). libraries/auth/swekey/swekey.auth.lib.php in phpMyAdmin 3.x before 3.3.10.3 and 3.4.x before 3.4.3.2 does not properly manage sessions associated with Swekey authentication, which allows remote attackers to modify the SESSION superglobal array, other superglobal arrays, and certain swekey.auth.lib.php local variables via a crafted query string, a related issue to CVE-2011-2505 (CVE-2011-2719). Missing sanitization on the table, column and index names leads to XSS vulnerabilities. Firstly, if a row contains javascript code, after inline editing this row and saving, the code is executed. Secondly, missing sanitization on the db, table and column names leads to XSS vulnerabilities (CVE-2011-3181). Importing a specially-crafted XML file which contains an XML entity injection permits to retrieve a local file (limited by the privileges of the user running the web server) (CVE-2011-4107). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2505 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2506 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2507 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2508 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2642 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2643 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2719 http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:124 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3181 http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php http://www.mandriva.com/en/support/security/advisories/?dis=mes5&name=MDVSA-2011:158 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4107 http://www.phpmyadmin.net/home_page/security/PMASA-2011-17.php http://www.mandriva.com/en/support/security/advisories/?name=MDVSA-2011:198 ======================== SRPM: phpmyadmin-3.4.9-1.mga1.src.rpm Could sysadmin please push from core/updates_testing to core/updates Thankyou!
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsHardware: i586 => All
update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED