CVE-2019-18622 (https://nvd.nist.gov/vuln/detail/CVE-2019-18622): An issue was discovered in phpMyAdmin before 4.9.2. A crafted database/table name can be used to trigger an SQL injection attack through the designer feature.
we have 4.9.2 (unaffected) in the tree for ~2 days. commit b393a9bdd8e49c2a75c1760190fd864362b8532f Author: Miroslav Šulc <fordfrog@gentoo.org> Date: Sun Dec 1 19:37:04 2019 +0100 dev-db/phpmyadmin-4.9.2: bump Closes: https://bugs.gentoo.org/701672 Package-Manager: Portage-2.3.80, Repoman-2.3.19 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> it's security and bugfix release: https://www.phpmyadmin.net/news/2019/11/22/phpmyadmin-492-released/ i suppose it can go stable so archs please stabilize.
amd64 stable
x86 stable
ppc64 stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d6b3b97b42cb8014c6beb424a3d7e604e3e1f052 commit d6b3b97b42cb8014c6beb424a3d7e604e3e1f052 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-12-10 11:02:51 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-12-10 11:02:51 +0000 dev-db/phpmyadmin-4.9.1: removed old and vulnerable Bug: https://bugs.gentoo.org/701830 Package-Manager: Portage-2.3.81, Repoman-2.3.20 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-db/phpmyadmin/Manifest | 1 - dev-db/phpmyadmin/phpmyadmin-4.9.1.ebuild | 61 ------------------------------- 2 files changed, 62 deletions(-)
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-39 at https://security.gentoo.org/glsa/202003-39 by GLSA coordinator Thomas Deutschmann (whissi).
