phpmyadmin 3.5.3 was announced today (October 8): http://www.phpmyadmin.net/home_page/news.php It references two upcoming security advisories, which will be here: http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php
CC: (none) => lists.jjorgeAssignee: bugsquad => lists.jjorgeWhiteboard: (none) => MGA2TOO, MGA1TOO
Updated in cauldron, now for 1 and 2 : Advisory: ======================== Updated phpmyadmin package fixes bugs and security vulnerabilities ======================== Updated packages in core/updates_testing: ======================== phpmyadmin-3.5.3-1.mga2 phpmyadmin-3.5.3-1.1.mga1 from phpmyadmin-3.5.3-1.mga[1-2].src.rpm
Status: NEW => ASSIGNED
Assignee: lists.jjorge => qa-bugs
José, thanks. The subrel in the Mageia 1 package causes it to be newer than the Mageia 2 and Cauldron packages, which is a problem. You could ask the sysadmins to delete it from Mageia 1 updates_testing, remove the subrel, and resubmit it to the build system, or you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO
(In reply to comment #2) > you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package. I took this second path, so now it is phpmyadmin-3.5.3-1.1.mga2
Testing complete. No poc, so just checked creating db, running sql depcheck, etc. Could someone from the sysadmin team push the srpm phpmyadmin-3.5.3-1.mga2 from Mageia 2 Core Updates Testing to Core Updates, and the srpm phpmyadmin-3.5.3-1.1.mga from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities PMASA-2012-6 - Multiple XSS vulnerabilities PMASA-2012-7 - Fetching the version information from a non-SSL site is vulnerable to a MITM attack. http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php https://bugs.mageia.org/show_bug.cgi?id=7744
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK
Not pushing.... Upgrade path from mga1 to mga2 is broken: $ rpmdev-vercmp 3.5.3-1.1.mga1 3.5.3-1.mga2 3.5.3-1.1.mga1 > 3.5.3-1.mga2 I pushed a 3.5.3-2 to 2/updates_testing
Keywords: validated_update => (none)CC: (none) => tmb
Good catch Thomas. Testing complete on Mageia 2 i586 and x86-64. Could someone from the sysadmin team push the srpm phpmyadmin-3.5.3-2.1.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates, and the srpm phpmyadmin-3.5.3-1.1.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities PMASA-2012-6 - Multiple XSS vulnerabilities PMASA-2012-7 - Fetching the version information from a non-SSL site is vulnerable to a MITM attack. http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php https://bugs.mageia.org/show_bug.cgi?id=7744
Keywords: (none) => validated_update
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0298
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED
What happened here? José made 1.1.mga2 (see Comment 3) to fix the upgrade path problem, so that shouldn't have been an issue. If Thomas changed the release tag to 2 and didn't remove the subrel and it's now 2.1.mga2, then it has now broken the upgrade path to Cauldron (2.mga3).
Ah, I missed comment 3 that states the 1.1.mga2 now, so it would have been ok then... I only read comment 4... anyway ... cauldron upgrade path is ok, I pushed a -3 to cauldron at the same time I pushed -2 to updates_testing...
This has CVEs now: CVE-2012-5339 CVE-2012-5368 from http://lwn.net/Vulnerabilities/525828/