CVE-2017-1000499 (https://nvd.nist.gov/vuln/detail/CVE-2017-1000499): phpMyAdmin versions 4.7.x (prior to 4.7.6.1/4.7.7) are vulnerable to a CSRF weakness. By deceiving a user to click on a crafted URL, it is possible to perform harmful database operations such as deleting records, dropping/truncating tables etc.
https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=449d4a8250796576021f544d826cbd32f4c6c82d https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=66ce23a80efde30425899df6c59d3b8eca50124c https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=256846b1bbda408d41264d8984022b27ceb548b1 Apologies for taking so long, but I got distracted after losing my battle with gpg remote signing. I've dropped the old 4.7 versions (and restore back 4.7.0 as the last stable). https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=e27ed9b11b540c2184f789828563df58572d12f0
@arch teams: please proceed with marking dev-db/phpmyadmin-4.7.7 stable. REQUESTED KEYWORDS: "alpha amd64 hppa ppc ppc64 x86" @sparc: Should we drop the stable keyword or do you want to add it to the 4.7.7 release?
x86 stable
amd64 stable
this bug was superseded by bug 648330
Stable on alpha.
ppc64 stable
hppa stable keywords dropped
sparc will pick a newer version eventually.
An automated check of this bug failed - the following atom is unknown: dev-db/phpmyadmin-4.7.7-r1 Please verify the atom list.
GLSA Vote: No
(In reply to Jorge Manuel B. S. Vicetto from comment #1) > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=449d4a8250796576021f544d826cbd32f4c6c82d > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=66ce23a80efde30425899df6c59d3b8eca50124c > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=256846b1bbda408d41264d8984022b27ceb548b1 > > Apologies for taking so long, but I got distracted after losing my battle > with gpg remote signing. I've dropped the old 4.7 versions (and restore back > 4.7.0 as the last stable). > > https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/ > ?id=e27ed9b11b540c2184f789828563df58572d12f0 Jorge, according to the PMASA 4.7.0 is vulnerable: https://www.phpmyadmin.net/security/PMASA-2017-9/ Please drop it.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5019cc7b54eb4bd2b33d0449446d0f3e6cd63f3c commit 5019cc7b54eb4bd2b33d0449446d0f3e6cd63f3c Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2018-12-02 03:47:15 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2018-12-02 03:47:15 +0000 dev-db/phpmyadmin: Drop vulnerable release. Bug: http://bugs.gentoo.org/645700 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> Package-Manager: Portage-2.3.50, Repoman-2.3.11 dev-db/phpmyadmin/Manifest | 1 - dev-db/phpmyadmin/phpmyadmin-4.7.0.ebuild | 61 ------------------------------- 2 files changed, 62 deletions(-)
(In reply to Larry the Git Cow from comment #13) > The bug has been referenced in the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=5019cc7b54eb4bd2b33d0449446d0f3e6cd63f3c > > commit 5019cc7b54eb4bd2b33d0449446d0f3e6cd63f3c > Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> > AuthorDate: 2018-12-02 03:47:15 +0000 > Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> > CommitDate: 2018-12-02 03:47:15 +0000 > > dev-db/phpmyadmin: Drop vulnerable release. > > Bug: http://bugs.gentoo.org/645700 > Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) > <jmbsvicetto@gentoo.org> > Package-Manager: Portage-2.3.50, Repoman-2.3.11 > > dev-db/phpmyadmin/Manifest | 1 - > dev-db/phpmyadmin/phpmyadmin-4.7.0.ebuild | 61 > ------------------------------- > 2 files changed, 62 deletions(-) Thank you, Jorge!
