CVE-2020-26934 (PMASA-2020-5): ------------------------------ A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature. If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker. Links: https://www.phpmyadmin.net/security/PMASA-2020-5/ https://nvd.nist.gov/vuln/detail/CVE-2020-26934 Patch: https://github.com/phpmyadmin/phpmyadmin/commit/19df63b0365621427697edc185ff7c9c5707c523 CVE-2020-26935 (PMASA-2020-6): ------------------------------ An SQL injection vulnerability was discovered in how phpMyAdmin processes SQL statements in the search feature. An attacker could use this flaw to inject malicious SQL in to a query. Links: https://www.phpmyadmin.net/security/PMASA-2020-6/ https://nvd.nist.gov/vuln/detail/CVE-2020-26935 Patch: https://github.com/phpmyadmin/phpmyadmin/commit/d09ab9bc9d634ad08b866d42bb8c4109869d38d2 Upstream considers both to be of moderate severity.
Package atom in summary should not be versioned until those versions are in tree.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=db9b00696f52941c510bfa1e068038df67f7f7c5 commit db9b00696f52941c510bfa1e068038df67f7f7c5 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-10-14 16:01:24 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-10-14 16:01:24 +0000 dev-db/phpmyadmin: Security bump (4.9.6, 5.0.3). CVE-2020-{26934,26935} Bug: https://bugs.gentoo.org/747805 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 2 + dev-db/phpmyadmin/phpmyadmin-4.9.6.ebuild | 61 +++++++++++++++++++++++++++++++ dev-db/phpmyadmin/phpmyadmin-5.0.3.ebuild | 61 +++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a8607d3bd46a14bb879f65b3888078562d11a3ef commit a8607d3bd46a14bb879f65b3888078562d11a3ef Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-10-14 16:12:21 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-10-14 16:14:53 +0000 dev-db/phpmyadmin: Security bump (4.9.6, 5.0.3). CVE-2020-{26934,26935} Bug: https://bugs.gentoo.org/747805 Package-Manager: Portage-3.0.6, Repoman-3.0.1 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 2 + dev-db/phpmyadmin/phpmyadmin-4.9.6.ebuild | 61 +++++++++++++++++++++++++++++++ dev-db/phpmyadmin/phpmyadmin-5.0.3.ebuild | 61 +++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+)
Thanks Jorge, please stabilize 4.9.6 when ready.
Ready?
x86 stable
amd64 done
ppc stable
sparc stable
ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3397ead58a8062f38ef33150e4d6fd8a2123b09c commit 3397ead58a8062f38ef33150e4d6fd8a2123b09c Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-11-19 19:18:49 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-11-19 19:18:49 +0000 dev-db/phpmyadmin: Cleanup vulnuerable releases. Bug: https://bugs.gentoo.org/747805 Package-Manager: Portage-3.0.6, Repoman-3.0.1 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 1 - dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 ------------------------------- 2 files changed, 62 deletions(-)
New GLSA request filed.
4.9.6 don't work with php 5.6 bump to 4.9.7 Fixes this version: * Two factor authentication was broken * Incompatibilities with older PHP versions.
This issue was resolved and addressed in GLSA 202101-35 at https://security.gentoo.org/glsa/202101-35 by GLSA coordinator Aaron Bauman (b-man).
