195707 2007-10-13 15:37 0000 dev-db/phpmyadmin < 2.11.1.1 "setup.php" Cross-Site Scripting Vulnerability (CVE-2007-5386) 2007-10-25 18:51:33 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/27173/ B4 [noglsa] P2 minor --- 195843 196237 1 keytoaster@gentoo.org security@gentoo.org cla@gentoo.org mysql-bugs@gentoo.org keytoaster@gentoo.org 2007-10-13 15:37:37 0000 Omer Singer has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation requires that the user is running a browser that has not URL-encoded the request (e.g. Internet Explorer 6). The vulnerability is reported in version 2.11.1. Other versions may also be affected. Solution: Fixed in the SVN repository. keytoaster@gentoo.org 2007-10-13 15:40:26 0000 Maintainers, please provide an updated ebuild. wrobel@gentoo.org 2007-10-14 06:32:19 0000 phpmyadmin-2.11.1 is in the tree including the patch for the issue. Target archs: alpha amd64 hppa ppc ppc64 sparc x86 cla@gentoo.org 2007-10-14 12:06:10 0000 Stable on x86 jakub@gentoo.org 2007-10-14 14:15:43 0000 Err, wait, the thing is borked (Bug 195843). fauli@gentoo.org 2007-10-14 18:26:23 0000 I reverted stable x86 KEYWORD back to ~x86 scytheman666@gmail.com 2007-10-14 20:06:13 0000 with this bug, this one http://bugs.gentoo.org/show_bug.cgi?id=183114 should be redundant? wrobel@gentoo.org 2007-10-15 04:56:40 0000 Hrm bug #195843 is nothing I can do much about at the moment. I checked the code but it seems to be an upstream issue. I inquired at their forum: http://sourceforge.net/forum/message.php?msg_id=4568637 To be honest this just looks like sloppy programming since its a php warning. wrobel@gentoo.org 2007-10-15 04:57:17 0000 (In reply to comment #6) > with this bug, this one http://bugs.gentoo.org/show_bug.cgi?id=183114 should > be redundant? > in principle yes, but lets see how this progresses first. wrobel@gentoo.org 2007-10-15 07:56:28 0000 Hm bug #195843 got closed again. Security please advise: Should we continue stabilization or wait one week to see if there are further reports? I tend to waiting since it's XSS but on the other hand the app is stable on many archs. rbu@gentoo.org 2007-10-15 22:49:44 0000 (In reply to comment #9) > Hm bug #195843 got closed again. Security please advise: Should we continue > stabilization or wait one week to see if there are further reports? I tend to > waiting since it's XSS but on the other hand the app is stable on many archs. 2.11.1.1 was released today, including the security fix. If the source is identical to our release plus patch, we can stable that. Otherwise, we should just bump it to the latest release. Since no one was able to reproduce this issue anymore, it might be related to outdated caches? Upstream advisory: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5 wrobel@gentoo.org 2007-10-16 08:00:26 0000 (In reply to comment #10) > (In reply to comment #9) > > Hm bug #195843 got closed again. Security please advise: Should we continue > > stabilization or wait one week to see if there are further reports? I tend to > > waiting since it's XSS but on the other hand the app is stable on many archs. > > 2.11.1.1 was released today, including the security fix. If the source is > identical to our release plus patch, we can stable that. Otherwise, we should > just bump it to the latest release. Bumped it even though 2.11.1.1 probably does not contain more than the fix. In any case I think it will be less confusing to the user if we release 2.11.1.1 Please mark the new version stable then. > Since no one was able to reproduce this issue anymore, it might be related to > outdated caches? > > Upstream advisory: > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-5 > rbu@gentoo.org 2007-10-16 11:03:50 0000 Arches, please test and mark stable dev-db/phpmyadmin-2.11.1.1 Target keywords are: "alpha amd64 hppa ppc ppc64 sparc x86" corsair@gentoo.org 2007-10-16 14:44:54 0000 ppc64 stable jer@gentoo.org 2007-10-16 15:23:08 0000 Stable for HPPA. cla@gentoo.org 2007-10-16 20:16:34 0000 Finally stable on x86 ;) wrobel@gentoo.org 2007-10-18 05:16:26 0000 phpmyadmin managed to release a second sec fix. So forget about 2.11.1.1 and move to 2.11.1.2 (bug #196237). Removing all arches that need to mark 2.11.1.2 stable and webapps here. Leaving open for security since I don't know if there is anything left you still have to do. falco@gentoo.org 2007-10-22 20:24:01 0000 non-persistent XSS. Only vulnerable with IE6 and not in its default conf. I vote noglsa. jaervosz@gentoo.org 2007-10-22 20:40:53 0000 Voting NO. This one should be closed as soon as alpha and sparc stable 2.11.1.2 jaervosz@gentoo.org 2007-10-25 18:51:33 0000 This one can be closed now as well.