Bug#948718: marked as done (phpmyadmin: CVE-2020-5504)

Debian Bug Tracking System Mon, 30 Mar 2020 14:36:21 -0700

Your message dated Mon, 30 Mar 2020 21:32:41 +0000
with message-id <[email protected]>
and subject line Bug#948718: fixed in phpmyadmin 4:4.6.6-4+deb9u1
has caused the Debian Bug report #948718,
regarding phpmyadmin: CVE-2020-5504
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
948718: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948718
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Source: phpmyadmin
Version: 4:4.9.2+dfsg1-1
Severity: important
Tags: security upstream
Control: found -1 4:4.6.6-4

Hi,

The following vulnerability was published for phpmyadmin.

CVE-2020-5504[0]:
| In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists
| in the user accounts page. A malicious user could inject custom SQL in
| place of their own username when creating queries to this page. An
| attacker must have a valid MySQL account to access the server.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-5504
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5504
[1] https://www.phpmyadmin.net/security/PMASA-2020-1/
[2] 
https://github.com/phpmyadmin/phpmyadmin/commit/c86acbf3ed49f69cf38b31879886dd5eb86b6983

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: phpmyadmin
Source-Version: 4:4.6.6-4+deb9u1
Done: William Desportes <[email protected]>

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
William Desportes <[email protected]> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 22 Mar 2020 17:07:57 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:4.6.6-4+deb9u1
Distribution: stretch
Urgency: high
Maintainer: Thijs Kinkhorst <[email protected]>
Changed-By: William Desportes <[email protected]>
Description:
 phpmyadmin - MySQL web administration tool
Closes: 893539 920822 920823 930017 930048 948718 954665 954666 954667
Changes:
 phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=high
 .
   * Team upload
   * Several security fixes
     - Cross-site scripting (XSS) vulnerability in db_central_columns.php
       (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
     - Remove transformation plugin includes
       (PMASA-2018-6, CVE-2018-19968)
     - Fix Stored Cross-Site Scripting (XSS) in navigation tree
       (PMASA-2018-8, CVE-2018-19970)
     - Fix information leak (arbitrary file read) using SQL queries
       (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
     - a specially crafted username can be used to trigger a SQL injection 
attack
       (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
     - SQL injection in Designer feature
       (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
     - CSRF vulnerability in login form
       (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
     - SQL injection, escape username in the query
       (PMASA-2020-1, CVE-2020-5504, Closes: #948718)
     - Add a patch to escape some parameters when changing passwords
       (PMASA-2020-2, CVE-2020-10804, Closes: #954667)
     - Add a patch to escape database and table name
       (PMASA-2020-3, CVE-2020-10802, Closes: #954665)
     - Add a patch to secure sql_query parameter
       (PMASA-2020-4, CVE-2020-10803, Closes: #954666)
Checksums-Sha1:
 54a3b9e872405f242fef531860ee1f01e7a425fb 2123 phpmyadmin_4.6.6-4+deb9u1.dsc
 5314655baf12ad47bdc42a2ebcfc2b10995ce7a5 6147904 phpmyadmin_4.6.6.orig.tar.xz
 a3ce0bc62874cffd398433de9f99f104a59e17e6 87276 
phpmyadmin_4.6.6-4+deb9u1.debian.tar.xz
 192e2dd05c635f39f43ea79455ca78c91a8fa640 3910736 
phpmyadmin_4.6.6-4+deb9u1_all.deb
 50c2fe65d0c84eb6843b7399e6a4c01185d26818 8729 
phpmyadmin_4.6.6-4+deb9u1_amd64.buildinfo
Checksums-Sha256:
 2568bc474f94dd88a8f1082d83d814a126c507e15f41efaaa0f0c4d3a6e7f8ba 2123 
phpmyadmin_4.6.6-4+deb9u1.dsc
 b7b9e0f88ca740fcba249e7e3e7d51d1923b038b7742cde72de193a2b0a2654f 6147904 
phpmyadmin_4.6.6.orig.tar.xz
 a877680d4d10b8500bc5f2acdd8cafcfeed23ed8d5208af96e3e88b623a39f1e 87276 
phpmyadmin_4.6.6-4+deb9u1.debian.tar.xz
 5db49a41af864dccea7d8926954dce8c4e4e192bd644a04b216d4f4a3a732556 3910736 
phpmyadmin_4.6.6-4+deb9u1_all.deb
 d04c07e72132473eb24fc9b8c18d685399298cd448cef42b60cd2cc81f0697e5 8729 
phpmyadmin_4.6.6-4+deb9u1_amd64.buildinfo
Files:
 3cd01d47875eb49cced10d2ce5463bc1 2123 web extra phpmyadmin_4.6.6-4+deb9u1.dsc
 474af1974cadf7f0300d80a63acc14d2 6147904 web extra phpmyadmin_4.6.6.orig.tar.xz
 87e5839b15cfa663adabadcf997814d7 87276 web extra 
phpmyadmin_4.6.6-4+deb9u1.debian.tar.xz
 61eff9b435e1c72a8d215f1f8ea811cc 3910736 web extra 
phpmyadmin_4.6.6-4+deb9u1_all.deb
 d0601ed689d8ecfc16972743db788114 8729 web extra 
phpmyadmin_4.6.6-4+deb9u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl6AnEoACgkQgj6WdgbD
S5Zaqw/+M3R6ygmmdv7E1dHdiI4ho/dG71FgnAzW4v6jW26Id4D2mH8/BUgE9hQ/
WveyrRVZBb4LAydy6qyMPmDJcGDgVEcKKpNTH6PaA5M2SvVVvDZ/LBFiaqK+31Jy
Oajq6DnfJmjsEILr6zfOLLW9cBaVeuJ8d14yBn+47Eyf0DohvN/1btQmDHa+lhhM
eW2PBNCQHOysESS7tH1gkiZsQlreD80bT7rIN1snp62t249go6JpONhS3iICz2vP
yuCPuGl1Ndw3QSI7kFKKbFA+unAmlmtQmdhybNOrXYrO2u7CPi1dwiMjP7W4EEWe
k1o1bvB4qOZY+PSq3DPzS4cFESEu1qLGFgQdisLIrS5g6dFhhAI9fmwkohmQjRtQ
WW0HQkPyxGufqrH2w0mkuc59kBF2WY8j6FrnTr/5iLHh9yWmzGQFRGyKnMWCdbgx
u3CIr+5u3ZhvY7WFjWuI8xY/NoSophda+glia5vPVnqjH/FhU9tfqIu/qyyrw9RC
01RPf1jOkSnHmREOIMqHK5yeugzuKAEHsOV8Rh7TmRHSWdGyHvBkgN3Y5XQMzbtt
U8WrHIPQEORTc3toIOOR2C6LfQI+COQWmQC/GSGXclKTTZvi8lV3LN9NmD1KFics
i17IHOzZh/Wn7kQv709U/28plys3Fvl9I3x0fVNWLmIPOo16WNY=
=qhUY
-----END PGP SIGNATURE-----

--- End Message ---

Bug#948718: marked as done (phpmyadmin: CVE-2020-5504)

Reply via email to