Updated phpmyadmin packages fix security vulnerabilities
Publication date: 26 Nov 2014Modification date: 26 Nov 2014
Type: security
Affected Mageia releases : 3 , 4
CVE: CVE-2014-8958 , CVE-2014-8959 , CVE-2014-8960 , CVE-2014-8961
Description
Updated phpmyadmin package fixes security vulnerabilities:
In phpMyAdmin before 4.1.14.7, with a crafted database, table or column name
it is possible to trigger an XSS attack in the table browse page, with a
crafted ENUM value it is possible to trigger XSS attacks in the table print
view and zoom search pages, and with a crafted value for font size it is
possible to trigger an XSS attack in the home page (CVE-2014-8958).
In phpMyAdmin before 4.1.14.7, in the GIS editor feature, a parameter
specifying the geometry type was not correcly validated, opening the door to
a local file inclusion attack (CVE-2014-8959).
In phpMyAdmin before 4.1.14.7, with a crafted file name it is possible to
trigger an XSS in the error reporting page (CVE-2014-8960).
In phpMyAdmin before 4.1.14.7, in the error reporting feature, a parameter
specifying the file was not correctly validated, allowing the attacker to
derive the line count of an arbitrary file (CVE-2014-8961).
References
- https://bugs.mageia.org/show_bug.cgi?id=14637
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-13.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-14.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-15.php
- http://www.phpmyadmin.net/home_page/security/PMASA-2014-16.php
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8958
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8959
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8960
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8961
SRPMS
4/core
- phpmyadmin-4.1.14.7-1.mga4
3/core
- phpmyadmin-4.1.14.7-1.mga3