Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 438804 (CVE-2012-5339) - <dev-db/phpmyadmin-3.5.3: XSS and possible MitM of version information (CVE-2012-{5339,5368})
Summary: <dev-db/phpmyadmin-3.5.3: XSS and possible MitM of version information (CVE-2...
Status: RESOLVED FIXED
Alias: CVE-2012-5339
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://sourceforge.net/projects/phpmy...
Whiteboard: B4 [noglsa]
Keywords:
: 440096 440772 (view as bug list)
Depends on:
Blocks:
 
Reported: 2012-10-18 14:58 UTC by Tomáš Mózes
Modified: 2012-12-01 19:41 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tomáš Mózes 2012-10-18 14:58:56 UTC
http://sourceforge.net/news/?group_id=23067&id=309525

phpMyAdmin 3.5.3 is released

Welcome to phpMyAdmin 3.5.3, a bugfix release with minor security fixes (refer to the upcoming PMASA-2012-6 and PMASA-2012-7 for more details).
phpMyAdmin no longer contains the Highcharts library (which caused a licensing problem).
Comment 1 Jeroen Roovers (RETIRED) gentoo-dev 2012-10-18 15:32:10 UTC
   "Welcome to phpMyAdmin 3.5.3, a bugfix release with minor security fixes. This
    release no longer contains the Highcharts library (which caused a licensing
    problem)."
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-10-21 14:06:38 UTC
Thank you for the report, Tomas.

Upstream advisories:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2012-10-25 15:43:49 UTC
CVE-2012-5368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5368):
  phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through
  an HTTP session to phpmyadmin.net without SSL, which allows
  man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by
  modifying this code.

CVE-2012-5339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5339):
  Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x
  before 3.5.3 allow remote authenticated users to inject arbitrary web script
  or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a
  trigger.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-10-29 07:41:37 UTC
*** Bug 440096 has been marked as a duplicate of this bug. ***
Comment 5 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 19:55:36 UTC
*** Bug 440772 has been marked as a duplicate of this bug. ***
Comment 6 Anthony Basile gentoo-dev 2012-11-11 15:11:06 UTC
Okay bumped to phpMyAdmin 3.5.3.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 12:55:31 UTC
(In reply to comment #6)
> Okay bumped to phpMyAdmin 3.5.3.

Thanks. Is it ready for stabilization?
Comment 8 Anthony Basile gentoo-dev 2012-11-12 20:03:59 UTC
(In reply to comment #7)
> (In reply to comment #6)
> > Okay bumped to phpMyAdmin 3.5.3.
> 
> Thanks. Is it ready for stabilization?

I just added it to the tree and did a preliminary test to make sure I wasn't introducing anything obviously bad.  However, it is not thuroughly tested. Maybe wait a week and do an early stabilization.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-12 22:09:01 UTC
(In reply to comment #8)
> (In reply to comment #7)
> > (In reply to comment #6)
> > > Okay bumped to phpMyAdmin 3.5.3.
> > 
> > Thanks. Is it ready for stabilization?
> 
> I just added it to the tree and did a preliminary test to make sure I wasn't
> introducing anything obviously bad.  However, it is not thuroughly tested.
> Maybe wait a week and do an early stabilization.

Ok, let's revisit this around Nov 19th.
Comment 10 Tomáš Mózes 2012-11-13 08:12:18 UTC
Thanks for the bump, I'm putting it into testing.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2012-11-13 19:44:49 UTC
It's good to go.

Arches, please test and mark stable:
=dev-db/phpmyadmin-3.5.3
Target KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2012-11-13 20:13:06 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2012-11-14 13:33:28 UTC
amd64 stable
Comment 14 Anthony Basile gentoo-dev 2012-11-15 00:55:11 UTC
stable ppc ppc64
Comment 15 Andreas Schürch gentoo-dev 2012-11-15 14:56:37 UTC
x86 done.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2012-12-01 19:09:25 UTC
alpha/sparc stable
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-01 19:41:05 UTC
Thanks, everyone.

Closing noglsa for XSS issues.