Incoming details.
PMASA-2018-6 Announcement-ID: PMASA-2018-6 Date: 2018-12-07 Summary Local file inclusion through transformation feature Description A flaw has been found where an attacker can exploit phpMyAdmin to leak the contents of a local file. The attacker must have access to the phpMyAdmin Configuration Storage tables, although these can easily be created in any database to which the attacker has access. An attacker must have valid credentials to log in to phpMyAdmin; this vulnerability does not allow an attacker to circumvent the login system. Severity We consider this vulnerability to be severe. Affected Versions phpMyAdmin versions from at least 4.0 through 4.8.3 are affected Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References This vulnerability was reported by Daniel Le Gall from SCRT Assigned CVE ids: CVE-2018-19968 CWE ids: CWE-661 CWE-98 Patches The following commits have been made on the 4.8 branch to fix this issue: 6a1ba61e29002f0305a9322a8af4eaaeb11c0732 Source: https://www.phpmyadmin.net/security/PMASA-2018-6/ PMASA-2018-7 Announcement-ID: PMASA-2018-7 Date: 2018-12-07 Summary XSRF/CSRF vulnerability in phpMyAdmin Description By deceiving a user to click on a crafted URL, it is possible to perform harmful SQL operations such as renaming databases, creating new tables/routines, deleting designer pages, adding/deleting users, updating user passwords, killing SQL processes, etc. Severity We consider this vulnerability to be of moderate severity. Affected Versions phpMyAdmin versions 4.7.0 through 4.7.6 and 4.8.0 through 4.8.3 are affected. Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References Thanks to Daniel Le Gall from SCRT, Mustafa Hasan (@strukt93), SI9INT and Prasetia Ari for reporting this vulnerability. Assigned CVE ids: CVE-2018-19969 CWE ids: CWE-661 CWE-352 Patches The following commits have been made on the 4.8 branch to fix this issue: f049c127ca21885ab0856a8c562ed1c74961bb5d be0660e4c46a1f3f74d86bac41419d5804201502 77ea7024bfa75659dea20dacb225f0d48414fd02 ad7f7fd80192bd9f7f22f4d8d9a8818dd69f3e0c 5d781422fb9f0af54e9cf9c85371b4d8c02ac56d d6e04ca09b205cbc1e00f26da9d1f3690287a4af d9279982a9c24456c061ecc700f69610424e854e 3ac68d2edaafea38c3c45e364933456540603c09 98ef759676cfc60db56aff657d5f66f818780872 faced0a344a3e3c2cfe645d400fcddc54dcc7f4e d0eede7c566d97f92b5fda1560fa07b583ffc0a4 42561e689613e6712920bada4e2f957a96252f97 ca06ecc87681e7d547271fdbd06816a2bee9be80 3d9ed655cc6107bd0e8e6d5f5a5f58d0fc791564 b72e55acf82a67fcb9d8eb341878f8e9fc7af295 9219b28f474f032621b3cc827d12407673e47b08 6c03ebad38a64ac1c53f9bae9e9c2d5e0d556bfd 7d3f203131231d09a7485c38355f5cb546cbf897 2a749337bf9e1319f5d0bc62aae3f79f8f9080d0 35d87e607227c4ea0d1613ad39c5bca75b726fca 80eaee9c0a1fadc4c7f7ab3838b3fe5eb15a7830 259cbc6ab1d61afb3a657ad4a787eefe8278ec29 c1cdaac2f465dd6b9e17f9f35fd46861ad703a6d 1edf1aced6ad963c9f282666150f7f36f1ca449e bf3e6c3a77ff5d1fc2a15bba7f0a66e7fcb357e6 827e4dcf2ce738d7b320682e97e29ad448f9147f b4e1862740b3412aab2f7079649a705f317cb1b0 5109c1787e111a87521db94c93d4cb2c46cc29f4 88e162b651dfbd64c98ac40976023c4b7d1438bb e7e7d56c759366c61824b67f48ec0ba4d5507105 593b2571cd8ba5110cd39fee896ea172ca2c81d5 737ac997f9271d15f08b20893c9174a312027b74 0fe1a3bea88a553407930f83380b88d7591d2bdd 79548c0dcfc185f7c31a0c527d952a2b14266ddf 89db84213ba1b2b38387632c884c6fe64166f512 30543ad81f5151d592e39e3075dd32a7487d8d9e 0be9a53fcfd4131c8737f717371570402b292361 d01ece698a18624ede4bccffd81035da7c27b9a0 d1d90b59b28ab8be332e442df55864cb858e40dd a98207c6de3bde433602273d1cccc7f2f99d7501 eb13c69f0db2b1158d4b36deef7544fa1a932505 79fd80cef5da7f67eed01825b4d4b957d03acffd 01e8064e3530a05d8d2975ad29fdd519a952e0ec 34972f0132c6e04fc324ad422f2fc609df7a22ec 6fd9bfb75b357e375c8992a8c9194411954a8427 c36592b4e8dfe6e5b2e7c9197c32abdf155df350 d745d1ce019bf1aa60f19e8ac993389adb81e3a9 d98b40281b0e8781918240b201b35758b474e595 e7f1e2697acace0d05356a943174cefeae1cf11e Source: https://www.phpmyadmin.net/security/PMASA-2018-7/ PMASA-2018-8 Announcement-ID: PMASA-2018-8 Date: 2018-12-07 Summary XSS vulnerability in navigation tree Description A Cross-Site Scripting vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a specially-crafted database/table name. Severity We consider this attack to be of moderate severity. Mitigation factor The stored XSS vulnerabilities can be triggered only by someone who logged in to phpMyAdmin, as the usual token protection prevents non-logged-in users from accessing the required forms. Affected Versions phpMyAdmin versions from at least 4.0 through 4.8.3 are affected Solution Upgrade to phpMyAdmin 4.8.4 or newer or apply patch listed below. References Thanks to YU-HSIANG HUANG (huang.yuhsiang.phone@gmail.com), YUNG-HAO TSENG, and Eddie TC CHANG for reporting this vulnerability. Assigned CVE ids: CVE-2018-19970 CWE ids: CWE-661 CWE-79 Patches The following commits have been made on the 4.8 branch to fix this issue: b293ff5f234ef493336ed8638f623a12164d359e Source: https://www.phpmyadmin.net/security/PMASA-2018-8/
@arches, please stabilize.
amd64 stable
x86 stable
sparc stable
alpha stable
This issue was resolved and addressed in GLSA 201904-16 at https://security.gentoo.org/glsa/201904-16 by GLSA coordinator Aaron Bauman (b-man).
re-opened for final arches and cleanup.
Looking good on ppc64. # cat phpmyadmin-672938.report USE tests started on Mi 29. Mai 04:38:47 CEST 2019 FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.5 USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
Looking good on ppc. # cat phpmyadmin-672938.report USE tests started on Mi 29. Mai 15:05:41 CEST 2019 FEATURES=' test' USE='' succeeded for =dev-db/phpmyadmin-4.8.5 USE='-setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='setup -vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='-setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5 USE='setup vhosts' succeeded for =dev-db/phpmyadmin-4.8.5
ppc64 stable
ppc stable. Maintainer(s), please cleanup.
afaics the oldest is currently 4.8.5 so tree does not contain any affected version.
Added to an existing GLSA.
Forget previous comment, GLSA for this vulnerability was already released, see comment #7. Repository is clean, all done.