Bug 7744 - phpmyadmin new security issues fixed in 3.5.3
Summary: phpmyadmin new security issues fixed in 3.5.3
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 2
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2012-10-09 03:37 CEST by David Walser
Modified: 2012-11-20 19:00 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin
CVE:
Status comment:


Attachments

Description David Walser 2012-10-09 03:37:21 CEST
phpmyadmin 3.5.3 was announced today (October 8):
http://www.phpmyadmin.net/home_page/news.php

It references two upcoming security advisories, which will be here:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php
David Walser 2012-10-09 03:38:12 CEST

CC: (none) => lists.jjorge
Assignee: bugsquad => lists.jjorge
Whiteboard: (none) => MGA2TOO, MGA1TOO

Comment 1 José Jorge 2012-10-10 21:21:35 CEST
Updated in cauldron, now for 1 and 2 :

Advisory:
========================

Updated phpmyadmin package fixes bugs and security vulnerabilities
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.3-1.mga2
phpmyadmin-3.5.3-1.1.mga1

from phpmyadmin-3.5.3-1.mga[1-2].src.rpm

Status: NEW => ASSIGNED

José Jorge 2012-10-10 21:21:53 CEST

Assignee: lists.jjorge => qa-bugs

Comment 2 David Walser 2012-10-10 21:44:38 CEST
José, thanks.  The subrel in the Mageia 1 package causes it to be newer than the Mageia 2 and Cauldron packages, which is a problem.

You could ask the sysadmins to delete it from Mageia 1 updates_testing, remove the subrel, and resubmit it to the build system, or you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package.

Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Comment 3 José Jorge 2012-10-11 22:15:33 CEST
(In reply to comment #2)
> you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package.

I took this second path, so now it is phpmyadmin-3.5.3-1.1.mga2
Comment 4 Dave Hodgins 2012-10-16 00:28:00 CEST
Testing complete.  No poc, so just checked creating db, running sql depcheck,
etc.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.3-1.mga2
from Mageia 2 Core Updates Testing to Core Updates, and the srpm
phpmyadmin-3.5.3-1.1.mga
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities
PMASA-2012-6 - Multiple XSS vulnerabilities
PMASA-2012-7 - Fetching the version information from a non-SSL site is
 vulnerable to a MITM attack.

http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php

https://bugs.mageia.org/show_bug.cgi?id=7744

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64-OK MGA1-32-OK

Comment 5 Thomas Backlund 2012-10-16 00:52:13 CEST
Not pushing....

Upgrade path from mga1 to mga2 is broken:

$ rpmdev-vercmp 3.5.3-1.1.mga1 3.5.3-1.mga2
3.5.3-1.1.mga1 > 3.5.3-1.mga2

I pushed a 3.5.3-2 to 2/updates_testing

Keywords: validated_update => (none)
CC: (none) => tmb

Comment 6 Dave Hodgins 2012-10-16 01:54:47 CEST
Good catch Thomas.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.3-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates, and the srpm
phpmyadmin-3.5.3-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities
PMASA-2012-6 - Multiple XSS vulnerabilities
PMASA-2012-7 - Fetching the version information from a non-SSL site is
 vulnerable to a MITM attack.

http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php

https://bugs.mageia.org/show_bug.cgi?id=7744

Keywords: (none) => validated_update

Comment 7 Thomas Backlund 2012-10-16 02:22:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0298

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2012-10-16 02:24:21 CEST
What happened here?  José made 1.1.mga2 (see Comment 3) to fix the upgrade path problem, so that shouldn't have been an issue.  If Thomas changed the release tag to 2 and didn't remove the subrel and it's now 2.1.mga2, then it has now broken the upgrade path to Cauldron (2.mga3).
Comment 9 Thomas Backlund 2012-10-16 02:28:06 CEST
Ah, I missed comment 3 that states the 1.1.mga2 now, so it would have been ok then... I only read comment 4...

anyway ... cauldron upgrade path is ok, I pushed a -3 to cauldron at the same time I pushed -2 to updates_testing...
Comment 10 David Walser 2012-11-20 19:00:32 CET
This has CVEs now: CVE-2012-5339 CVE-2012-5368

from http://lwn.net/Vulnerabilities/525828/

Note You need to log in before you can comment on or make changes to this bug.