From ${URL} : Description Multiple vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious users to conduct script insertion attacks and bypass certain security restrictions. 1) An error when handling certain permissions can be exploited to view and manipulate otherwise restricted MySQL user tables. Successful exploitation requires the configuration storage set up for the user groups feature. This vulnerability is reported in versions prior to 4.1.14.2 and prior to 4.2.6. 2) Input passed via the column name to the table structure page when dropping a column is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 3) Input passed via the table name to the table operations page when dropping or truncating a table is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. The vulnerabilities #2 and #3 are reported in versions prior to 4.0.10.1, prior to 4.1.14.2, and prior to 4.2.6. Solution: Update to version 4.1.14.2 or 4.2.6. Provided and/or discovered by: 1) The vendor credits Chirayu Chiripal. 2, 3) Reported by the vendor. Original Advisory: PMASA-2014-6: http://www.phpmyadmin.net/home_page/security/PMASA-2014-6.php PMASA-2014-7: http://www.phpmyadmin.net/home_page/security/PMASA-2014-7.php @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-4986 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4986): Multiple cross-site scripting (XSS) vulnerabilities in js/functions.js in phpMyAdmin 4.0.x before 4.0.10.1, 4.1.x before 4.1.14.2, and 4.2.x before 4.2.6 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) table name or (2) column name that is improperly handled during construction of an AJAX confirmation message.
CVE-2014-4987 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-4987): server_user_groups.php in phpMyAdmin 4.1.x before 4.1.14.2 and 4.2.x before 4.2.6 allows remote authenticated users to bypass intended access restrictions and read the MySQL user list via a viewUsers request.
12:34 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Bump to versions 4.0.10.1, 4.1.14.2 and 4.2.7. Fixes bug 514894, 517858 and 519342. 4.1.14.2 and 4.2.7 are now in the tree. At this point, let's move on with 4.1.14.2 stabilization. 4.2 can be done in a non-security bug.
Arches, please test and mark stable: =dev-db/phpmyadmin-4.1.14.2 Target Keywords : "alpha amd64 hppa ppc ppc64 spark x86" Thank you! Since Version 4.2.7 is not stable, no need to stabilize as part of this security bug, it is being stabilized as part of Bug 519342.
A new vulnerability has been found, and the new versions come with this. No Stabilization needs to happen as part of this bug, moving it to Bug 520142, and setting it as blocker.
Versions no longer in tree. Security please Vote. GLSA Vote: No
New GLSA required for subsequent issues. Adding this to the list.
This issue was resolved and addressed in GLSA 201505-03 at https://security.gentoo.org/glsa/201505-03 by GLSA coordinator Kristian Fiskerstrand (K_F).
