From http://www.phpmyadmin.net/home_page/security/PMASA-2015-2.php: PMASA-2015-2 Announcement-ID: PMASA-2015-2 Date: 2015-05-13 Summary XSRF/CSRF vulnerability in phpMyAdmin setup. Description By deceiving a user to click on a crafted URL, it is possible to alter the configuration file being generated with phpMyAdmin setup. Severity We consider this vulnerability to be non critical. Mitigation factor This vulnerability only affects the configuration file generation process and does not affect the effective configuration file. Moreover, the configuration file being generated is at risk only during the period when it's writable. Affected Versions Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected. Solution Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below. References Thanks to Inti De Ceukelaire (http://ceukelai.re) for reporting this vulnerability. Assigned CVE ids: CVE-2015-3902 CWE ids: CWE-661 CWE-352 Patches The following commits have been made to fix this issue: ee92eb9bab8e2d546756c1d4aec81ec7c8e44b83 The following commits have been made on the 4.3 branch to fix this issue: 9817bd4030de949ba9ce4cd1b3f047e22d8f66bd The following commits have been made on the 4.2 branch to fix this issue: c903ecf6751684b6af2d079c78b1f0d09ea2bd47 The following commits have been made on the 4.0 branch to fix this issue: fea1d39fef540afa4105c6fbcc849f7e516f3da8 From http://www.phpmyadmin.net/home_page/security/PMASA-2015-3.php: PMASA-2015-3 Announcement-ID: PMASA-2015-3 Date: 2015-05-13 Summary Vulnerability allowing man-in-the-middle attack on API call to GitHub. Description A vulnerability in the API call to GitHub can be exploited to perform a man-in-the-middle attack. Severity We consider this vulnerability to be serious. Affected Versions Versions 4.0.x (prior to 4.0.10.10), 4.2.x (prior to 4.2.13.3), 4.3.x (prior to 4.3.13.1) and 4.4.x (prior to 4.4.6.1) are affected. Solution Upgrade to phpMyAdmin 4.0.10.10 or newer, or 4.2.13.3 or newer, or 4.3.13.1 or newer, or 4.4.6.1 or newer, or apply the patch listed below. References Thanks to Maksymilian Arciemowicz of http://cxsecurity.com for reporting this vulnerability. Assigned CVE ids: CVE-2015-3903 CWE ids: CWE-661 CWE-295 Patches The following commits have been made to fix this issue: 5ebc4daf131dd3bd646326267f3e765d0249bbb4 The following commits have been made on the 4.3 branch to fix this issue: 75499e790429c491840a0ad31d4de84aca215d23 The following commits have been made on the 4.2 branch to fix this issue: 0e18931d9e4b23053285b6fddf3493ca426ff684 The following commits have been made on the 4.0 branch to fix this issue: e97e7fb0ea2dedfaa95c7dbe872027fb4bd4204c @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
02:40 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Bump phpmyadmin to releases 4.0.10.10, 4.2.13.3, 4.3.13.1 and 4.4.6.1. This bump addresses PMASA-2015-{2,3} and fixes bug 549540. Drop old versions and 4.1 series.
Maintainer(s), please advise if you when you are ready for stabilization or call for stabilization yourself.
CVE-2015-3903 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3903): libraries/Config.class.php in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 disables X.509 certificate verification for GitHub API calls over SSL, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. CVE-2015-3902 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3902): Multiple cross-site request forgery (CSRF) vulnerabilities in the setup process in phpMyAdmin 4.0.x before 4.0.10.10, 4.2.x before 4.2.13.3, 4.3.x before 4.3.13.1, and 4.4.x before 4.4.6.1 allow remote attackers to hijack the authentication of administrators for requests that modify the configuration file.
Ping on stabilization? It has been 30+ days in tree. Are we ready for stabilization?
(In reply to Yury German from comment #4) > Ping on stabilization? It has been 30+ days in tree. > Are we ready for stabilization? I forgot about this bug. Please move forward with the stabilization. TARGET_KEYWORDS="alpha amd64 hppa ~ia64 ppc ppc64 sparc x86 ~x86-fbsd ~ppc-macos ~x64-macos ~x86-macos" Please add stable keywords to: =dev-db/phpmyadmin-4.3.13.1 =dev-db/phpmyadmin-4.4.6.1
Stable for PPC64.
Stable for HPPA.
amd64 stable
x86 stable
Stable on alpha.
ppc stable
sparc stable. Maintainer(s), please cleanup. Security, please vote.
(In reply to Agostino Sarubbo from comment #12) > Maintainer(s), please cleanup. 17:10 < gentoovcs> jmbsvicetto → gentoo-x86 (dev-db/phpmyadmin/) Drop vulnerable version - bug 549540. Done.
GLSA vote: no.
GLSA Vote: No Thank you all. Closing as noglsa.
