Bug 7744 - phpmyadmin new security issues fixed in 3.5.3
: phpmyadmin new security issues fixed in 3.5.3
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
:
: MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-10-09 03:37 CEST by David Walser
Modified: 2012-11-20 19:00 CET (History)
4 users (show)

See Also:
Source RPM: phpmyadmin
CVE:
Status comment:


Attachments

Description David Walser 2012-10-09 03:37:21 CEST
phpmyadmin 3.5.3 was announced today (October 8):
http://www.phpmyadmin.net/home_page/news.php

It references two upcoming security advisories, which will be here:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php
Comment 1 José Jorge 2012-10-10 21:21:35 CEST
Updated in cauldron, now for 1 and 2 :

Advisory:
========================

Updated phpmyadmin package fixes bugs and security vulnerabilities
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.3-1.mga2
phpmyadmin-3.5.3-1.1.mga1

from phpmyadmin-3.5.3-1.mga[1-2].src.rpm
Comment 2 David Walser 2012-10-10 21:44:38 CEST
José, thanks.  The subrel in the Mageia 1 package causes it to be newer than the Mageia 2 and Cauldron packages, which is a problem.

You could ask the sysadmins to delete it from Mageia 1 updates_testing, remove the subrel, and resubmit it to the build system, or you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package.
Comment 3 José Jorge 2012-10-11 22:15:33 CEST
(In reply to comment #2)
> you could add the subrel in the Mageia 2 package and bump the release in the Cauldron package.

I took this second path, so now it is phpmyadmin-3.5.3-1.1.mga2
Comment 4 Dave Hodgins 2012-10-16 00:28:00 CEST
Testing complete.  No poc, so just checked creating db, running sql depcheck,
etc.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.3-1.mga2
from Mageia 2 Core Updates Testing to Core Updates, and the srpm
phpmyadmin-3.5.3-1.1.mga
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities
PMASA-2012-6 - Multiple XSS vulnerabilities
PMASA-2012-7 - Fetching the version information from a non-SSL site is
 vulnerable to a MITM attack.

http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php

https://bugs.mageia.org/show_bug.cgi?id=7744
Comment 5 Thomas Backlund 2012-10-16 00:52:13 CEST
Not pushing....

Upgrade path from mga1 to mga2 is broken:

$ rpmdev-vercmp 3.5.3-1.1.mga1 3.5.3-1.mga2
3.5.3-1.1.mga1 > 3.5.3-1.mga2

I pushed a 3.5.3-2 to 2/updates_testing
Comment 6 Dave Hodgins 2012-10-16 01:54:47 CEST
Good catch Thomas.

Testing complete on Mageia 2 i586 and x86-64.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.3-2.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates, and the srpm
phpmyadmin-3.5.3-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities
PMASA-2012-6 - Multiple XSS vulnerabilities
PMASA-2012-7 - Fetching the version information from a non-SSL site is
 vulnerable to a MITM attack.

http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php

https://bugs.mageia.org/show_bug.cgi?id=7744
Comment 7 Thomas Backlund 2012-10-16 02:22:07 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0298
Comment 8 David Walser 2012-10-16 02:24:21 CEST
What happened here?  José made 1.1.mga2 (see Comment 3) to fix the upgrade path problem, so that shouldn't have been an issue.  If Thomas changed the release tag to 2 and didn't remove the subrel and it's now 2.1.mga2, then it has now broken the upgrade path to Cauldron (2.mga3).
Comment 9 Thomas Backlund 2012-10-16 02:28:06 CEST
Ah, I missed comment 3 that states the 1.1.mga2 now, so it would have been ok then... I only read comment 4...

anyway ... cauldron upgrade path is ok, I pushed a -3 to cauldron at the same time I pushed -2 to updates_testing...
Comment 10 David Walser 2012-11-20 19:00:32 CET
This has CVEs now: CVE-2012-5339 CVE-2012-5368

from http://lwn.net/Vulnerabilities/525828/

Note You need to log in before you can comment on or make changes to this bug.