From ${URL} : The 4.0.10.5, 4.1.14.6, and 4.2.10.1 releases of phpMyAdmin fix a cross-site scripting (XSS) flaw in the SQL debug output: "" With a crafted database or table name it is possible to trigger an XSS in SQL debug output when enabled and in server monitor page when viewing and analysing executed queries. "" As noted in the upstream advisory, this issue can only be triggered by logged-in users. References: http://www.phpmyadmin.net/home_page/security/PMASA-2014-12.php @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
CVE-2014-8326 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-8326): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before 4.0.10.5, 4.1.x before 4.1.14.6, and 4.2.x before 4.2.10.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) database name or (2) table name, related to the libraries/DatabaseInterface.class.php code for SQL debug output and the js/server_status_monitor.js code for the server monitor page.
no GLSA for Cross Site Scripting Setting cleanup dependency on bug 530054 to cleanup version: 4.1.14.3
15:33 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to the latest releases and add 4.4.0_beta1. Address CVE-2014-{9218,9219} - fixes bug 531684. Address PMASA-2015-1 - fixes bug 542218. Drop old vulnerable versions. Old version cleaned.
All necessary stuff is done. Thanks guys, closing as noglsa
