Bug 6905 - phpmyadmin does not work and is missing an update for security issues
: phpmyadmin does not work and is missing an update for security issues
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-32...
: validated_update
:
: 6954
  Show dependency treegraph
 
Reported: 2012-07-30 14:02 CEST by Jacques Pronchery
Modified: 2012-08-26 23:18 CEST (History)
7 users (show)

See Also:
Source RPM: phpmyadmin-3.5.1-2.mga3
CVE:


Attachments

Description Jacques Pronchery 2012-07-30 14:02:28 CEST
After a new installation of Mageia Cauldron, phpmyadmin does not start.
We have the message in firefox :

Access denied per /etc/httpd/conf/webapps.d/phpmyadmin.conf
Comment 1 David Walser 2012-08-04 20:36:11 CEST
It probably needs to be updated for the new configuration file paths in the new Apache 2.4.x in Cauldron.

It should also be updated to 3.5.2.1, a security update.  I'll let you decide whether to issue an update for the stable releases.  The upstream security advisory hasn't been posted yet, but the release announcement has been:
http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.5.2.1_is_released
http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php
Comment 3 José Jorge 2012-08-19 16:53:19 CEST
I am back from beach, I'll provide update ASAP.
Comment 4 José Jorge 2012-08-22 08:36:34 CEST
I provide here updates for MGA1 and MGA2. Please tell me if I should open 2 new bug reports, I can't find what was decided about that in our policy.

Advisory:
========================

Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.2.2-1.mga2
phpmyadmin-3.5.2.2-1.mga1

from phpmyadmin-3.5.2.2-1.mga[1-2].src.rpm
Comment 5 José Jorge 2012-08-22 08:40:57 CEST
Sorry it is phpmyadmin-3.5.2.2-1.1.mga2 as a subrel was forgotten.
Comment 6 Samuel Verschelde 2012-08-22 09:10:35 CEST
One bug report for both updates is ok.
Comment 7 Samuel Verschelde 2012-08-22 10:05:49 CEST
Testing on Mageia 2 x86_64, normal operations (connect, browse databases, query...): seems ok.
Comment 8 Samuel Verschelde 2012-08-22 23:33:14 CEST
Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the package requires php-mysql. Isn't there a mismatch?
Comment 9 Gerd Roscher 2012-08-24 13:42:30 CEST
testing is complete mageia 2 i586
Comment 10 Samuel Verschelde 2012-08-24 13:59:49 CEST
(In reply to comment #8)
> Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the
> package requires php-mysql. Isn't there a mismatch?

I must have made a mistake somewhere. The requires is there.
Comment 11 Samuel Verschelde 2012-08-24 15:31:15 CEST
For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the mysqli extension, so the requires are not ok.
Comment 12 Samuel Verschelde 2012-08-24 15:35:13 CEST
(In reply to comment #11)
> For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the
> mysqli extension, so the requires are not ok.

Mageia 1
Comment 13 claire robinson 2012-08-24 17:25:21 CEST
Adding José in CC list.

The updated mga1 package seems to need a require on php-mysqli in the same way as mga2 did with the newer phpmyadmin in bug 6187.

Could you have another look please José.
Comment 14 José Jorge 2012-08-25 08:21:05 CEST
You are right. I just submitted phpmyadmin-3.5.2.2-1.1.mga1 with the needed require.
Comment 15 Dave Hodgins 2012-08-26 12:34:13 CEST
Testing complete on Mageia 1 i586 and x86-64.

Since php-mysqli is already in Mageia 1 Core Updates, it will
not require linking.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.2.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
phpmyadmin-3.5.2.2-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
- added missing requires for php-mysqli

https://bugs.mageia.org/show_bug.cgi?id=6905
Comment 17 Thomas Backlund 2012-08-26 23:18:32 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0240

Note You need to log in before you can comment on or make changes to this bug.