Mandriva has done it again. They updated phpmyadmin to 3.5.0. Now we'll need to freeze push it in Cauldron and update it in 1.
CC: (none) => lists.jjorge
Assigning to maintainer
Assignee: bugsquad => lists.jjorge
Submitted phpmyadmin-3.5.0-1.mga1 to testing. Push to Cauldron asked.
Status: NEW => ASSIGNEDAssignee: lists.jjorge => qa-bugs
Thanks José. Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: It was possible to conduct XSS using a crafted database name in phpMyAdmin 3.4.x before 3.4.10.2. The victim would have to willingly click on a database name which clearly shows a possible XSS (CVE-2012-1190). show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file (CVE-2012-1902). This update also allows upgrading from Mandriva 2010.2. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1190 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1902 http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.0-1.mga1 from phpmyadmin-3.5.0-1.mga1.src.rpm
Update Validated Upgraded production phpmyadmin to phpmyadmin-3.5.0-1.mga1 Confirmed no regressions in normal operation with databases. Could sysadmin please push phpmyadmin-3.5.0-1.mga1.src.rpm from core/updates_testing to core/updates Advisory: ======================== Updated phpmyadmin package fixes security vulnerabilities: It was possible to conduct XSS using a crafted database name in phpMyAdmin 3.4.x before 3.4.10.2. The victim would have to willingly click on a database name which clearly shows a possible XSS (CVE-2012-1190). show_config_errors.php in phpMyAdmin 3.4.x before 3.4.10.2, when a configuration file does not exist, allows remote attackers to obtain sensitive information via a direct request, which reveals the installation path in an error message about this missing file (CVE-2012-1902). This update also allows upgrading from Mandriva 2010.2. References: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1190 http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1902 http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-2.php ========================
Keywords: (none) => validated_updateCC: (none) => derekjenn, sysadmin-bugs
Testing complete on i586 for the srpm phpmyadmin-3.5.0-1.mga1.src.rpm Just browsing through https://localhost/phpmyadmin, created a table, and dropped it.
CC: (none) => davidwhodgins
Derek, which arch did you test on? Most updates shouldn't be validated until they have been tested on both architectures.
I was using x86_64 but phpmyadmin is .noarch so it should not matter.
Update pushed
Status: ASSIGNED => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
(In reply to comment #7) > I was using x86_64 but phpmyadmin is .noarch so it should not matter. Sorry, you're right. My mistake.