Bug 6905 - phpmyadmin does not work and is missing an update for security issues
Summary: phpmyadmin does not work and is missing an update for security issues
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-32...
Keywords: validated_update
Depends on:
Blocks: 6954
  Show dependency treegraph
 
Reported: 2012-07-30 14:02 CEST by Jacques Pronchery
Modified: 2012-08-26 23:18 CEST (History)
7 users (show)

See Also:
Source RPM: phpmyadmin-3.5.1-2.mga3
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jacques Pronchery 2012-07-30 14:02:28 CEST 
After a new installation of Mageia Cauldron, phpmyadmin does not start.
We have the message in firefox :

Access denied per /etc/httpd/conf/webapps.d/phpmyadmin.conf
Comment 1 David Walser 2012-08-04 20:36:11 CEST 
It probably needs to be updated for the new configuration file paths in the new Apache 2.4.x in Cauldron.

It should also be updated to 3.5.2.1, a security update.  I'll let you decide whether to issue an update for the stable releases.  The upstream security advisory hasn't been posted yet, but the release announcement has been:
http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.5.2.1_is_released
http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php

CC: (none) => luigiwalser
Assignee: bugsquad => lists.jjorge

Manuel Hiebel 2012-08-05 01:15:35 CEST

Blocks: (none) => 6954

Comment 2 David Walser 2012-08-13 03:06:55 CEST 
Now another security release has been issued, 3.5.2.2.

http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.4.11.1_and_3.5.2.2_are_released
http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php

Component: RPM Packages => Security
Summary: phpmyadmin does not work => phpmyadmin does not work and is missing an update for security issues
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 3 José Jorge 2012-08-19 16:53:19 CEST 
I am back from beach, I'll provide update ASAP.

Status: NEW => ASSIGNED

Comment 4 José Jorge 2012-08-22 08:36:34 CEST 
I provide here updates for MGA1 and MGA2. Please tell me if I should open 2 new bug reports, I can't find what was decided about that in our policy.

Advisory:
========================

Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.2.2-1.mga2
phpmyadmin-3.5.2.2-1.mga1

from phpmyadmin-3.5.2.2-1.mga[1-2].src.rpm
Comment 5 José Jorge 2012-08-22 08:40:57 CEST 
Sorry it is phpmyadmin-3.5.2.2-1.1.mga2 as a subrel was forgotten.

Assignee: lists.jjorge => qa-bugs

Comment 6 Samuel Verschelde 2012-08-22 09:10:35 CEST 
One bug report for both updates is ok.

CC: (none) => stormi
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 7 Samuel Verschelde 2012-08-22 10:05:49 CEST 
Testing on Mageia 2 x86_64, normal operations (connect, browse databases, query...): seems ok.

Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Comment 8 Samuel Verschelde 2012-08-22 23:33:14 CEST 
Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the package requires php-mysql. Isn't there a mismatch?

Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO feedback MGA2-64-OK?

Comment 9 Gerd Roscher 2012-08-24 13:42:30 CEST 
testing is complete mageia 2 i586

CC: (none) => gerdroscher
Whiteboard: MGA1TOO feedback MGA2-64-OK? => MGA1TOO feedback MGA2-64-OK? MGA2-32-OK

Comment 10 Samuel Verschelde 2012-08-24 13:59:49 CEST 
(In reply to comment #8)
> Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the
> package requires php-mysql. Isn't there a mismatch?

I must have made a mistake somewhere. The requires is there.

Whiteboard: MGA1TOO feedback MGA2-64-OK? MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK

Comment 11 Samuel Verschelde 2012-08-24 15:31:15 CEST 
For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the mysqli extension, so the requires are not ok.

Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK feedback

Comment 12 Samuel Verschelde 2012-08-24 15:35:13 CEST 
(In reply to comment #11)
> For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the
> mysqli extension, so the requires are not ok.

Mageia 1
Comment 13 claire robinson 2012-08-24 17:25:21 CEST 
Adding José in CC list.

The updated mga1 package seems to need a require on php-mysqli in the same way as mga2 did with the newer phpmyadmin in bug 6187.

Could you have another look please José.

CC: (none) => lists.jjorge

Comment 14 José Jorge 2012-08-25 08:21:05 CEST 
You are right. I just submitted phpmyadmin-3.5.2.2-1.1.mga1 with the needed require.
Samuel Verschelde 2012-08-25 08:49:26 CEST

Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK feedback => MGA1TOO MGA2-64-OK MGA2-32-OK

Comment 15 Dave Hodgins 2012-08-26 12:34:13 CEST 
Testing complete on Mageia 1 i586 and x86-64.

Since php-mysqli is already in Mageia 1 Core Updates, it will
not require linking.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.2.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
phpmyadmin-3.5.2.2-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
- added missing requires for php-mysqli

https://bugs.mageia.org/show_bug.cgi?id=6905

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK

Comment 17 Thomas Backlund 2012-08-26 23:18:32 CEST 

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0240

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.