Summary: | <dev-db/phpmyadmin-{4.1.14.2,4.2.7}: Script Insertion and Security Bypass Vulnerabilities (CVE-2014-{4986,4987}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | a3li, jmbsvicetto, rich0, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://secunia.com/advisories/60191/ | ||
Whiteboard: | B4 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 520142 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2014-07-23 09:53:16 UTC
CVE-2014-4986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4986): Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message. CVE-2014-4987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4987): server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request. 12:34 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Bump to versions 4.0.10.1, 4.1.14.2 and 4.2.7. Fixes bug 514894, 517858 and 519342. 4.1.14.2 and 4.2.7 are now in the tree. At this point, let's move on with 4.1.14.2 stabilization. 4.2 can be done in a non-security bug. Arches, please test and mark stable: =dev-db/phpmyadmin-4.1.14.2 Target Keywords : "alpha amd64 hppa ppc ppc64 spark x86" Thank you! Since Version 4.2.7 is not stable, no need to stabilize as part of this security bug, it is being stabilized as part of Bug 519342. A new vulnerability has been found, and the new versions come with this. No Stabilization needs to happen as part of this bug, moving it to Bug 520142, and setting it as blocker. Versions no longer in tree. Security please Vote. GLSA Vote: No New GLSA required for subsequent issues. Adding this to the list. This issue was resolved and addressed in GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03 by GLSA coordinator Kristian Fiskerstrand (K_F). |