Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 606972 - <dev-db/phpmyadmin-4.6.6: multiple vulnerabilities
Summary: <dev-db/phpmyadmin-4.6.6: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.phpmyadmin.net/news/2017/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-24 01:25 UTC by Thomas Deutschmann (RETIRED)
Modified: 2017-06-17 20:50 UTC (History)
2 users (show)

See Also:
Package list:
=dev-db/phpmyadmin-4.6.6 alpha amd64 hppa ppc ppc64 sparc x86
Runtime testing required: ---
stable-bot: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-24 01:25:01 UTC 
phpMyAdmin 4.6.6, 4.4.15.10, and 4.0.10.19 are released

The phpMyAdmin project is pleased to announce the release of phpMyAdmin
versions 4.6.6 (including bug and security fixes), 4.4.15.10 (security
fixes), and 4.0.10.19 (security fixes). We recommend all users update
their phpMyAdmin installations.

There have been changes in the behavior since previous version:

 -  Changed the suggested text in the query window for delete queries to
    avoid accidental data loss

 -  Re-introduce a page which shows the output of phpinfo()

Aside from the changes and security improvements, many bugs have been fixed including:

 -  Parsing of SQL queries with the BINARY function

 -  Syntax error when adding or changing TIMESTAMP columns with default
    value as NULL

 -  Broken "Edit" and "Export" links in the Routines tab

 -  Creating a new user on older MariaDB servers

 -  Format button in the SQL tab broken

 -  Fixes for PHP 7.1

 -  Problems with MySQL servers running with lower_case_names=2

 -  Fixes for several PHP notices/warnings being shown

Please note that, as previously announced, the 4.4 branch is no longer
supported. This security release is planned as the final 4.4 release. See
the 4.4.15.10 release notes for more information.
Comment 1 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2017-01-26 21:49:54 UTC 
21:42 < gentoovcs> jmbsvicetto → repo/gentoo (dev-db/phpmyadmin/) dev-db/phpmyadmin:  Security releases - 4.0.10.19, 4.4.15.10, 4.6.6 (PMASA-2017-{1-7}) - bug 606972.
21:42 < willikins> gentoovcs: https://bugs.gentoo.org/606972 "dev-db/phpmyadmin: multiple vulnerabilities"; Gentoo Security, Vulnerabilities; IN_P; whissi:security

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b8991c824deb93164638bef8097efe94ed764a0

@arch teams: please mark stable dev-db/phpmyadmin-4.6.6

Requested KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 2 Jorge Manuel B. S. Vicetto (RETIRED) Gentoo Infrastructure gentoo-dev 2017-01-26 21:51:56 UTC 
To avoid any confusion, although by mistake I mentioned the 4.4.15.10 release, I did not add it to the tree - only to my overlay. My apologies for not "fixing" the commit message.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-26 22:04:08 UTC 
PMASA-2017-1

It was possible to trick phpMyAdmin to redirect to insecure using special request path.

All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected


PMASA-2017-2

The php-gettext library can suffer to code execution. However there is no way to trigger this inside phpMyAdmin.

phpMyAdmin is not vulberable, we're just fixing bug in embedded library which can not be exploited within phpMyAdmin.


PMASA-2017-3

It was possible to trigger recursive include operation by crafter parameters when editing table data.

All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected.


PMASA-2017-4

It was possible to cause CSS injection in themes by crafted cookie parameters.

All 4.6.x versions (prior to 4.6.6), 4.4.x versions (prior to 4.4.15.10), and 4.0.x versions (prior to 4.0.10.19) are affected.


PMASA-2017-5

A vulnerability was found where, under some circumstances, an attacker can inject arbitrary values in the browser cookies. This was incompletely fixed in PMASA-2016-18.

All 4.6.x versions (prior to 4.6.6) are affected
Comment 4 Agostino Sarubbo gentoo-dev 2017-01-27 09:02:26 UTC 
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-01-27 09:07:37 UTC 
x86 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2017-01-27 13:24:35 UTC 
Stable on alpha.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-29 10:37:05 UTC 
Stable for HPPA PPC64.
Comment 8 Michael Weber (RETIRED) gentoo-dev 2017-02-08 17:14:32 UTC 
ppc stable
Comment 9 Thomas Deutschmann (RETIRED) gentoo-dev 2017-02-09 10:26:13 UTC 
GLSA Vote: No
Comment 10 Agostino Sarubbo gentoo-dev 2017-02-17 10:58:23 UTC 
sparc stable.

Maintainer(s), please cleanup.
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2017-06-17 20:50:59 UTC 
Repository is clean, all done.