http://www.phpmyadmin.net/home_page/security/PMASA-2014-8.php Description With a crafted database, table or a primary/unique key column name it is possible to trigger an XSS when dropping a row from the table. With a crafted column name it is possible to trigger an XSS in the ENUM editor dialog. With a crafted variable name or a crafted value for unit field it is possible to trigger a self-XSS when adding a new chart in the monitor page. With a crafted value for x-axis label it is possible to trigger a self-XSS in the query chart page. With a crafted relation name it is possible to trigger an XSS in table relations page. Severity We consider these vulnerabilities to be non critical. Solution Upgrade to phpMyAdmin 4.0.10.2 or newer, or 4.1.14.3 or newer, or 4.2.7.1 or newer, or apply the patches listed below. http://www.phpmyadmin.net/home_page/security/PMASA-2014-9.php Description With a crafted view name it is possible to trigger an XSS when dropping the view in view operation page. Severity We consider this vulnerability to be non critical. Solution Upgrade to phpMyAdmin 4.1.14.3 or newer, or 4.2.7.1 or newer, or apply the patch listed below.
17:54 < irker101> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Another security bump for phpmyadmin (CVE-2014-{5273,5274}) - bug 520142. Drop unstable affected versions. Versions in the tree bumped.
Maintainers, please advise when ebuilds have had enough testing, and are ready for stabilization.
CVE-2014-5274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5274): Cross-site scripting (XSS) vulnerability in the view operations page in phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted view name, related to js/functions.js. CVE-2014-5273 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-5273): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via the (1) browse table page, related to js/sql.js; (2) ENUM editor page, related to js/functions.js; (3) monitor page, related to js/server_status_monitor.js; (4) query charts page, related to js/tbl_chart.js; or (5) table relations page, related to libraries/tbl_relation.lib.php.
Arches, please test and mark stable: =dev-db/phpmyadmin-4.1.14.3 Target Keywords : "alpha amd64 hppa ppc ppc64 spark x86" Thank you!
(In reply to Yury German from comment #4) > Arches, please test and mark stable: > > =dev-db/phpmyadmin-4.1.14.3 > > Target Keywords : "alpha amd64 hppa ppc ppc64 spark x86" > > Thank you! it is hard to catch if arches are not in CC.
Stable for HPPA.
amd64 stable
x86 stable
sparc stable
ppc64 stable
alpha stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #12) > ppc stable. > > Maintainer(s), please cleanup. > Security, please vote. GLSA Vote: No
Old versions cleaned up, security please vote.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: No