http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-15.php http://www.phpmyadmin.net/home_page/security/PMASA-2014-16.php Fixed versions: 4.1.14.7 4.2.12
Also fixed, for the affected issues, in version: 4.0.10.6 I'm already working in the bump and hope to commit the new versions to the tree later today.
(In reply to Jorge Manuel B. S. Vicetto from comment #1) > Also fixed, for the affected issues, in version: > 4.0.10.6 No. 4.0.10.6 fixes only pmasa 13 and 14
(In reply to Agostino Sarubbo from comment #2) > (In reply to Jorge Manuel B. S. Vicetto from comment #1) > > Also fixed, for the affected issues, in version: > > 4.0.10.6 > > No. > > 4.0.10.6 fixes only pmasa 13 and 14 As I said, it fixes the issues that affect that version. The 4.0 series is not affected by pmasa 15 and 16 (at least that's what I read in the advisories).
05:03 < irker179> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Version bumps to address PMASA-2014-{13,14,15,16} - fixes bug 530054.
@arch teams, please mark stable the following versions: 4.0.10.6 4.1.14.7 4.2.13 Target KEYWORDS="alpha amd64 ppc ppc64 sparc x86". I just added 4.2.13, but it should be the last feature release of the 4.2 series and I noticed at least 2 or 3 new calls to htmlspecialchars in the diff between 4.2.12 and 4.2.13.
(In reply to Jorge Manuel B. S. Vicetto from comment #5) > please mark stable the following versions: You mean: =dev-db/phpmyadmin-4.0.10.6 =dev-db/phpmyadmin-4.1.14.7 =dev-db/phpmyadmin-4.2.13 But why 4.0.10.6?
Stable for HPPA.
(In reply to Jeroen Roovers from comment #6) > (In reply to Jorge Manuel B. S. Vicetto from comment #5) > > please mark stable the following versions: > > You mean: > > =dev-db/phpmyadmin-4.0.10.6 > =dev-db/phpmyadmin-4.1.14.7 > =dev-db/phpmyadmin-4.2.13 > > But why 4.0.10.6? Upstream is still supporting it. But if you want to reduce your arch load, feel free to drop the keywords for that series. I've added the 4.3 series to the tree, so we could reduce the number of supported series.
amd64 stable
x86 stable
ppc stable
ppc64 stable
alpha stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
CVE-2014-8961 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8961): Directory traversal vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to obtain potentially sensitive information about a file's line count via a crafted parameter. CVE-2014-8960 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8960): Cross-site scripting (XSS) vulnerability in libraries/error_report.lib.php in the error-reporting feature in phpMyAdmin 4.1.x before 4.1.14.7 and 4.2.x before 4.2.12 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename. CVE-2014-8959 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8959): Directory traversal vulnerability in libraries/gis/GIS_Factory.class.php in the GIS editor in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allows remote authenticated users to include and execute arbitrary local files via a crafted geometry-type parameter. CVE-2014-8958 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8958): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.6, 4.1.x before 4.1.14.7, and 4.2.x before 4.2.12 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database, (2) table, or (3) column name that is improperly handled during rendering of the table browse page; a crafted ENUM value that is improperly handled during rendering of the (4) table print view or (5) zoom search page; or (6) a crafted pma_fontsize cookie that is improperly handled during rendering of the home page.
Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. GLSA Vote: Yes
Please drop vulnerable version: Version 4.1.14.3 - Needs to be dropped as it is vulnerable to multiple vulnerabilities covered in 4 other Bugs. Setting those bugs Dependencies for cleanup of this one.
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Old version cleaned.
GLSA Vote: (In reply to Yury German from comment #16) > Arches, Thank you for your work > Maintainer(s), please drop the vulnerable version. > > GLSA Vote: Yes GLSA Vote: Yes. Together with bug 522844, bug 524366, bug 526416 GLSA Request filed.
This issue was resolved and addressed in GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03 by GLSA coordinator Kristian Fiskerstrand (K_F).