Summary: | <dev-db/phpmyadmin-{4.9.5,5.0.2}: Multiple vulnerabilities (CVE-2020-{10802,10803,10804} / PMASA-2020-{3,4,2}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | jmbsvicetto, web-apps |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=717630 | ||
Whiteboard: | B4 [noglsa cve] | ||
Package list: |
=dev-db/phpmyadmin-4.9.5 amd64 ppc64 ppc sparc x86
|
Runtime testing required: | --- |
Description
Sam James
2020-03-22 17:09:30 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/dev/jmbsvicetto.git/commit/?id=2f792e1787303bdb871267f8e9fbf75d7085d893 commit 2f792e1787303bdb871267f8e9fbf75d7085d893 Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-03-24 15:05:09 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-03-24 15:05:09 +0000 dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804} PMASA-2020-{3,4,2} Add 4.9.5 and 5.0.2 releases to address the following security advisories. PMASA-2020-2: SQL injection vulnerability in the user accounts page, particularly when changing a password PMASA-2020-3: SQL injection vulnerability relating to the search feature PMASA-2020-4: SQL injection and XSS having to do with displaying results Bug: https://bugs.gentoo.org/714014 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 2 + dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++ dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d commit a81c2975bff0bf2f8f4dce7c9a98628dd3b9c10d Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-03-24 15:22:32 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-03-24 15:22:58 +0000 dev-db/phpmyadmin: Security bump - CVE-2020-{10802,10803,10804}. Add 4.9.5 and 5.0.2 releases to address the following security advisories. CVE-2020-{10802,10803,10804} - PMASA-2020-{3,4,2} PMASA-2020-2: SQL injection vulnerability in the user accounts page, particularly when changing a password PMASA-2020-3: SQL injection vulnerability relating to the search feature PMASA-2020-4: SQL injection and XSS having to do with displaying results Bug: https://bugs.gentoo.org/714014 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 2 + dev-db/phpmyadmin/phpmyadmin-4.9.5.ebuild | 61 +++++++++++++++++++++++++++++++ dev-db/phpmyadmin/phpmyadmin-5.0.2.ebuild | 61 +++++++++++++++++++++++++++++++ 3 files changed, 124 insertions(+) @maintainer(s), please advise if ready for stabilisation, or call yourself. Vulnerable versions dropped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2a9e195c3ec8bde5b3aa7d13000d04d00e1cdbe7 Apologies for the revert, but I was too quick and dropped the last stable. I've now kept the last stable and dropped the other vulnerable versions. https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=2a9e195c3ec8bde5b3aa7d13000d04d00e1cdbe7 https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=3f6197b0b73bf7182a32ecdb1eec5489fa28601d https://gitweb.gentoo.org/repo/gentoo.git/commit/dev-db/phpmyadmin?id=1148c00d1dee62dd9939df5d9a6a432d623db50a Arch teams, please add stable keywords. Desired keywords: KEYWORDS="~alpha amd64 ~arm ~hppa ~ia64 ppc ppc64 sparc x86 ~ppc-macos ~x64-macos ~x86-macos" amd64 stable ppc stable sparc stable x86 stable ppc64 stable. Maintainer(s), please cleanup. Security, please vote. Resetting sanity check; package list is empty or all packages are done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad commit d702e013bdd2e04a3f78e09c7b198d24b7e8e4ad Author: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> AuthorDate: 2020-04-15 23:55:49 +0000 Commit: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> CommitDate: 2020-04-15 23:56:15 +0000 dev-db/phpmyadmin: Drop vulnerable release. Bug: https://bugs.gentoo.org/714014 Bug: https://bugs.gentoo.org/715660 Bug: https://bugs.gentoo.org/717630 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Jorge Manuel B. S. Vicetto (jmbsvicetto) <jmbsvicetto@gentoo.org> dev-db/phpmyadmin/Manifest | 1 - dev-db/phpmyadmin/phpmyadmin-4.9.2.ebuild | 61 ------------------------------- 2 files changed, 62 deletions(-) |