Summary: | <dev-db/phpmyadmin-4.1.7: XSS in import.php (CVE-2014-1879) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | a3li, jmbsvicetto, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://bugzilla.redhat.com/show_bug.cgi?id=1067713 | ||
Whiteboard: | B4 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-02-21 15:16:28 UTC
@arches: please test and mark stable phpmyadmin-4.1.7. (In reply to Jorge Manuel B. S. Vicetto from comment #1) > @arches: > > please test and mark stable phpmyadmin-4.1.7. No, like this, please: Arch teams, please test and mark stable: =dev-db/phpmyadmin-4.1.7 Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86 (In reply to Jeroen Roovers from comment #2) > (In reply to Jorge Manuel B. S. Vicetto from comment #1) > > @arches: > > > > please test and mark stable phpmyadmin-4.1.7. > > No, like this, please: > > Arch teams, please test and mark stable: > =dev-db/phpmyadmin-4.1.7 > Targeted stable KEYWORDS : alpha amd64 hppa ppc ppc64 sparc x86 Sorry about that. ia64: I see you don't have any version stable. Are you interested in adding it to the stable tree? (In reply to Jorge Manuel B. S. Vicetto from comment #3) > ia64: > > I see you don't have any version stable. Are you interested in adding it to > the stable tree? no Stable for HPPA. amd64/x86 stable CVE-2014-1879 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-1879): Cross-site scripting (XSS) vulnerability in import.php in phpMyAdmin before 4.1.7 allows remote authenticated users to inject arbitrary web script or HTML via a crafted filename in an import action. sparc stable ppc stable alpha stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Arches, Thank you for your work Maintainer(s), please drop the vulnerable version. Maintainer(s), please drop the vulnerable version. GLSA Vote: no No GLSA for Cross Site Scripting The vulnerable versions have been around since 2014-03-24, please clean up. 12:37 < irker982> gentoo-x86: jmbsvicetto dev-db/phpmyadmin: Drop old and vulnerable versions. There should be nothing left to do in this bug. (In reply to Jorge Manuel B. S. Vicetto from comment #15) > > There should be nothing left to do in this bug. phpmyadmin-4.0.10.1 - is still in tree, and based on the information from the CVE it is still vulnerable. (In reply to Yury German from comment #16) > (In reply to Jorge Manuel B. S. Vicetto from comment #15) > > > > There should be nothing left to do in this bug. > > phpmyadmin-4.0.10.1 - is still in tree, and based on the information from > the CVE it is still vulnerable. http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_4.0.10.1__4.1.14.2_and_4.2.6_are_released Since these were all released at the same time, I believe the security issue tracked in this bug doesn't affect 4.0.10.1. In any case, the only reason I added it to the tree was that upstream seems to still be actively supporting it. If no one cares about it, I don't mind keeping just 4.1 and 4.2 series in the tree. I was going by the text in the URL's provided, 4.0.10.1 was released after 4.1.7. But in either case, we will have to bump to 4.0.10.2 (if you want to keep 4.0.X tree) as part of Bug 517858 & 514894 as 4.0.10.2 contains the same fixes. This is cleaned up though. |