[v3.0] phpmyadmin: multiple issues (CVE-2014-5273 CVE-2014-5274)
CVE-2014-5273:
With a crafted database, table or a primary/unique key column name it is
possible to trigger an XSS when dropping a row from the table. With a
crafted column name it is possible to trigger an XSS in the ENUM editor
dialog. With a crafted variable name or a crafted value for unit field
it is possible to trigger a self-XSS when adding a new chart in the
monitor page. With a crafted value for x-axis label it is possible to
trigger a self-XSS in the query chart page. With a crafted relation name
it is possible to trigger an XSS in table relations page.
Affected Versions: 4.0.x (prior to 4.0.10.2), 4.1.x (prior to 4.1.14.3) and 4.2.x (prior to 4.2.7.1) are affected.
Solution: upgrade to phpMyAdmin 4.0.10.2 or newer, or 4.1.14.3 or newer,
or 4.2.7.1 or newer, or apply the patches listed here:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-8.php
CVE-2014-5274:
With a crafted view name it is possible to trigger an XSS when dropping
the view in view operation page.
Affected Versions: 4.1.x (prior to 4.1.14.3) and 4.2.x (prior to 4.2.7.1) are affected.
Solution: upgrade to phpMyAdmin 4.1.14.3 or newer, or 4.2.7.1 or newer,
or apply the patch listed here:
http://www.phpmyadmin.net/home\_page/security/PMASA-2014-9.php
Summary:
Alpine Linux v2.6: phpmyadmin should be upgraded to 4.0.10.2
Alpine Linux v2.7: phpmyadmin should be upgraded to 4.0.10.2
Alpine Linux v3.0: phpmyadmin should be upgraded to 4.2.7.1
(from redmine: issue id 3338, created on 2014-08-27, closed on 2014-09-05)
- Relations:
- parent #3335 (closed)
- Changesets:
- Revision 47f59c28 by Natanael Copa on 2014-09-03T15:05:24Z:
main/phpmyadmin: security upgrade to 4.2.8 (CVE-2014-5274)
fixes #3338