stable
FEDORA-2022-3544c7d20e created by remi 11 months ago for Fedora 34

Version 5.1.2

A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1).

A series of weaknesses was identified allowing a malicious user to submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2).


Changelog:

  • issue Replaced MySQL documentation redirected links
  • issue #16960 Fix JS error on Designer visual builder on some modal buttons
  • issue Re-build openlayers JS dependency from the source files and provide a smaller JS bundle
  • issue Fixed imports and theme detection depending on the current working dir
  • issue Update JavaScript dependencies
  • issue #16935 Remove hardcoded row length for "$cfg['CharTextareaRows']" to allow back values < 7
  • issue #16977 Fix encoding of enum and set values on edit value
  • issue Fix set value as selected when it has special chars on edit value enum
  • issue #16896 Fix distinct URLs broken on nullable text fields
  • issue Fixed two possible PHP errors using INT data
  • issue Fixed possible warning "Undefined index: output_format" on export
  • issue Fixed warning "Undefined index: ods_recognize_percentages" on Import ODS
  • issue Fixed warning "Undefined array key "ods_recognize_currency" on Import ODS
  • issue #16982 Fixed "Notice: Undefined index: foreign_keys_data" on Designer remove relation
  • issue Backquote phpMyAdmin table name on internal relation delete query for Designer
  • issue #16982 Do not try to delete internal relations if they are not configured
  • issue #16982 Show success messages on Designer for add and remove relation operations
  • issue Fixed possible "Undefined index: clause_is_unique" on replace value in cell
  • issue #16991 Fixed case where $_SERVER['REQUEST_METHOD'] is undefined
  • issue Fixed configuration error handler registration
  • issue #16997 Fixed server variables get/set value not working on multi server server > 1
  • issue #16998 Fixed Multi table query submit on server > 1 logged out user
  • issue #17000 Fixed Multi edit on central columns on server > 1 logged out user
  • issue #17001 Fix PHP error on query submit without a table name on multi table query box
  • issue #16999 Fixed multi table query results shows for 1 sec and then page refreshes
  • issue Fixed a non translated button text on central columns add
  • issue Fixed table width on Query by example page for large screens
  • issue #16975 Fixed NULL default had a value on insert with datatime fields
  • issue #16994 Fixed missing privilege escaping when assigning multiple databases with '_' to an user
  • issue #16864 Fixed the margin on the last database of the tree on all themes when scrollbars are displayed
  • issue #17011 Fixed the database tree line that was not continuous on database groups
  • issue Build more syntax correct URLs on JS internal redirects
  • issue #16976 Fix wrong link when a table is moved from a database to another
  • issue #16985 Fix case-sensitive issue of innodb_file_format=barracuda vs innodb_file_format=Barracuda
  • issue Fixed duplicate quote in navigation nodes
  • issue #17006 Disable the URL limit for the MariaDB analyser feature
  • issue Fix calls to fetchRow using two parameters but the function has only one parameter
  • issue #17020 Fixed "Notice Undefined index: sql_query" on Insert page
  • issue Fix reported "Undefined index: FirstDayOfCalendar"
  • issue Fix reported "Undefined index: environment"
  • issue Fix "TypeError: strlen() expects parameter 1 to be string, null given" on databases listing
  • issue #16973 Fix "Undefined array key "n0_pos2_name"" on databases listing
  • issue Use the correct min MySQL version for axis-order (8.0.1) instead of (8.0.11)
  • issue Use the queries we asked the user confirmation for on DELETE and TRUNCATE table actions
  • issue #16994 Fixed editing specific privileges for a database covered by a wildcard privilege
  • issue #16994 Fixed escaping of the database name for databases containing '_' on users edit
  • issue #16994 Only escape once on grant/revoke privileges for databases containing '_' or '%'
  • issue #16994 Only show databases without a privilege on multi select for user grant databases
  • issue Removed un-expected query success message from the Table export page
  • issue #17026 Handle possible invalid boolean values injected in SaveDir or UploadDir causing "TypeError: mb_substr()"
  • issue #16981 Enable cookie parameter "SameSite" on "phpMyAdmin" cookie for PHP >= 7.3
  • issue #16966 Encode "#" to have the anchor part of the destination URL on SQL highlight terms URLs
  • issue #17004 Fix PHP errors due to removed variable "innodb_file_format" on MariaDB >= 10.6.0 and MySQL >= 8.0.0
  • issue #16842 Fixed missing password modes on PerconaDB
  • issue #16947 Fix "Change login information" form not working
  • issue #17004 Fix Advisor for MariaDB >= 10.5 because of removed "innodb_log_files_in_group" variable
  • issue #17037 Fix change structure does not surface errors
  • issue #17016 Fixed online Transaction, errors not reported on structure edit
  • issue #17042 Fix SQL escaping bug on DB name with special chars on submit query with rollback option
  • issue #17027 Better handle the display of sorted binary columns in results summary
  • issue #16398 Quote non numeric values on parameterized queries
  • issue Fixed duplicate HTML escaping on foreign keys select value modal
  • issue #15370 Fixed edit routine UI incorrectly removes too many escape slashes
  • issue #14631 Fix enum with comma produces incorrect search dropdown on search pages
  • issue Fix gis visualization position and limit parameters have no effect
  • issue #16995 Fix edit binary foreign key adds a 1 to the value on the selected value
  • issue #13614 Fixed escaping the database names when granting privileges on tables
  • issue #11834 Fixed adding a new user on "privileges" tab of a table with a database name using a "_" character
  • issue #17033 Fixed scaling of line width and point size in GIS visualization
  • issue #17054 Removed "DEL" character from generated random strings for Blowfish secret auto-generated by setup
  • issue #17019 Fixed "Browse" button visible when creating a table from the database structure view
  • issue #16804 Fixed numbers where left-aligned rather than right-aligned
  • issue Fixed Metro theme text color for buttons in the browse table navigation bar
  • issue #14796 Fix export Database page, UI prevents from exporting procedures only
  • issue #15225 Fix Command+click on macOS opens links in same tab
  • issue #17014 Fix column names in first row when importing from CSV where the first line contains column names
  • issue Fix prevent scrolling the page when scrolling in GIS visualization
  • issue Fix GIS visualization save file with a different label or column
  • issue Fixed GIS saving image as png with a label
  • issue Fixed if label is just the number zero, it was treated as no label in the OpenLayers map
  • issue #17039 Fix unable to have 2FA working with a "pmadb" config value != phpmyadmin
  • issue #17079 Fixed missing spatial functions in Insert/Edit page
  • issue Fixed broken docs link after a FK data type mismatch error
  • issue Fix don't add multiple OpenLayers maps, remove listeners on dispose on GIS visualization
  • issue #14502 Uncheck the "ignore" checkbox when the user chooses a value in the foreign key list on Insert page
  • issue #14502 Uncheck the "ignore" checkbox when the user saves the GIS value on Insert page
  • issue #17018 Fixed cannot save data from GIS editor for spatial column on Insert page
  • issue #17084 Fixed ErrorHandler not showing errors when phpMyAdmin session does not work at all
  • issue #17062 Fixed pagination issues when working with identically named tables in separate databases
  • issue #17046 Fix "Uncaught TypeError: htmlspecialchars() expects parameter 1 to be string, null given"
  • issue #16942 Fix table Import with CSV using LOAD DATA LOCAL causes error "LOAD DATA LOCAL INFILE is forbidden"
  • issue #16942 Fix auto-detection for "LOAD DATA LOCAL INFILE" LOCAL option
  • issue #16067 Make select elements with multiple items resizable
  • issue Fix the display of Indexes that use Expressions and not column names
  • issue Allow to create the phpMyAdmin storage database using a different name than "phpmyadmin" using the interface
  • issue #17092 Document that "$cfg['Servers'][$i]['designer_coords']" was removed in version 4.3.0
  • issue #16906 Support special table names for pmadb storage table names
  • issue #16906 Fix a caching effect on the feature list after creating the tables
  • issue #16906 Better report errors when creating the pmadb or it's tables
  • issue #16906 Create the pmadb tables using the names configured and not the default names
  • issue #16906 Create the phpMyAdmin storage database using the configured "['pmadb']" name and not always "phpmyadmin"
  • issue #16906 Prevent incorrect overriding of configured values after a pmadb fix
  • issue #16906 Use the control connection to create the storage database and tables and not the user connection
  • issue #16693 Fix can't see SQL after adding a new column
  • issue #12753 Show table structure after adding a new column
  • issue Fix a PHP notice when logging out
  • issue #17090 Fix bbcode not rendered for error messages on setup
  • issue #17198 Fix the database selection when the navigation tree is disabled
  • issue #17228 Fixed copy to clipboard with NULL values gives non usable text
  • issue #16746 Replace samyoul/u2f-php-server by code-lts/u2f-php-server
  • issue #16005 Performance improvement on the Import and Export pages
  • issue #17247 Fix triple HTML encoding
  • issue #17259 Fix broken link in the Simulate DML query modal
  • issue #16746 Update tcpdf dependency to ^6.4.4 for PHP 8.1 compatibility
  • issue #16746 Update twig dependency to "^2.14.9 || ^3.3.5" for PHP 8.1 compatibility
  • issue [security] Add configuration directive $cfg['Servers'][$i]['hide_connection_errors'] to allow hiding host names and other error details when login fails
  • issue [security] Add configuration directive $cfg['URLQueryEncryption'] to allow encrypting senstive information in the URL
  • issue [security] Fix a scenario where an authenticated user can disable two factor authentication (PMASA-2022-1)
  • issue [security] Fix XSS and HTML injection attacks in the graphical setup page (PMASA-2022-2)

Packaging changes:

  • the package now provides all dependencies bundled.

How to install

sudo dnf upgrade --refresh --advisory=FEDORA-2022-3544c7d20e

This update has been submitted for testing by remi.

11 months ago

This update's test gating status has been changed to 'ignored'.

11 months ago

This update has been pushed to testing.

11 months ago

remi edited this update.

11 months ago

This update has been submitted for stable by bodhi.

10 months ago

This update has been pushed to stable.

10 months ago

Please login to add feedback.

Metadata
Type
security
Severity
medium
Karma
0
Signed
Content Type
RPM
Test Gating
Settings
Unstable by Karma
-3
Stable by Karma
3
Stable by Time
7 days
Dates
submitted
11 months ago
in testing
11 months ago
in stable
10 months ago
modified
11 months ago
BZ#2045578 CVE-2022-23807 phpMyAdmin: two-factor authentication bypass
0
0
BZ#2045579 CVE-2022-23807 phpMyAdmin: two-factor authentication bypass [fedora-all]
0
0
BZ#2045582 CVE-2022-23808 phpMyAdmin: multiple XSS and HTML injection attacks in setup script
0
0
BZ#2045583 CVE-2022-23808 phpMyAdmin: multiple XSS and HTML injection attacks in setup script [fedora-all]
0
0

Automated Test Results