Bug 1177561 - (CVE-2020-26934) VUL-0: CVE-2020-26934: phpMyAdmin: XSS relating to the transformation feature
(CVE-2020-26934)
VUL-0: CVE-2020-26934: phpMyAdmin: XSS relating to the transformation feature
Status: RESOLVED FIXED
Classification: openSUSE
Product: openSUSE Distribution
Classification: openSUSE
Component: Security
Leap 15.2
Other Other
: P3 - Medium : Normal (vote)
: ---
Assigned To: Eric Schirra
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-11 20:09 UTC by Andreas Stieger
Modified: 2020-11-01 17:17 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2020-10-11 20:09:20 UTC
A vulnerability was discovered where an attacker can cause an XSS attack through the transformation feature.

If an attacker sends a crafted link to the victim with the malicious JavaScript, when the victim clicks on the link, the JavaScript will run and complete the instructions made by the attacker.

References:
https://www.phpmyadmin.net/security/PMASA-2020-5/
https://github.com/phpmyadmin/phpmyadmin/commit/19df63b0365621427697edc185ff7c9c5707c523
Comment 1 Eric Schirra 2020-10-12 07:02:12 UTC
Maintenance request is done.
Comment 2 Andreas Stieger 2020-10-12 07:24:21 UTC
You included in SR#841140 the changes from bug 1092345, which we excluded from the previous update. Are you sure that this is suitable for a maintenance update?
Comment 3 OBSbugzilla Bot 2020-10-12 07:30:18 UTC
This is an autogenerated message for OBS integration:
This bug (1177561) was mentioned in
https://build.opensuse.org/request/show/841140 15.1+15.2+Backports:SLE-12+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / phpMyAdmin
Comment 4 Eric Schirra 2020-10-12 07:45:48 UTC
(In reply to Andreas Stieger from comment #2)
> You included in SR#841140 the changes from bug 1092345, which we excluded
> from the previous update. Are you sure that this is suitable for a
> maintenance update?

SR#841140 is request for tumbleweed _before_ this bugzilla entry.
This is request for maintened projekts _after_ this bugentry.
Comment 5 Andreas Stieger 2020-10-12 08:11:34 UTC
I don't think you understand. You submitted the devel package changes (that will go into openSUSE:Factory) to Maintenance. And how that includes changes done only for Factory. You can do that but you don't actually need to. What is needed for Maintenance is only the 4.9.6 bump, not the fixes for bug 1170743 or bug 1092345 (which may be Factory specific)
Comment 6 Eric Schirra 2020-10-12 09:03:11 UTC
Okay. I understand.
You are right. Sorry.
What should i do?
Separat update for all maintened packages?
Will remove this request and do a newer.
Comment 7 Andreas Stieger 2020-10-12 09:13:34 UTC
Well as a maintainer it is really up to you. If you are willing to include the Factory fixes and think that they are stable for a maintenance update then include them.

But here is my recommendation: Make a maintenance branch, and apply the version bump only. Then submit that.
Comment 8 Eric Schirra 2020-10-12 09:34:56 UTC
New request is done.
Comment 9 OBSbugzilla Bot 2020-10-12 10:10:07 UTC
This is an autogenerated message for OBS integration:
This bug (1177561) was mentioned in
https://build.opensuse.org/request/show/841237 15.1+15.2+Backports:SLE-12+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / phpMyAdmin
Comment 10 OBSbugzilla Bot 2020-10-16 08:50:07 UTC
This is an autogenerated message for OBS integration:
This bug (1177561) was mentioned in
https://build.opensuse.org/request/show/842058 15.1+15.2+Backports:SLE-12+Backports:SLE-15-SP1+Backports:SLE-15-SP2 / phpMyAdmin
Comment 11 Andreas Stieger 2020-10-16 08:50:33 UTC
4.9.6 has a regression, please use 4.9.7
https://build.opensuse.org/request/show/842056
https://build.opensuse.org/request/show/842058
Comment 12 Swamp Workflow Management 2020-10-16 16:16:16 UTC
openSUSE-SU-2020:1675-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177561,1177562
CVE References: CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    phpMyAdmin-4.9.6-lp152.2.3.1
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.6-lp151.2.18.1
openSUSE Backports SLE-15-SP2 (src):    phpMyAdmin-4.9.6-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.6-bp151.3.18.1
Comment 13 Swamp Workflow Management 2020-10-16 16:18:24 UTC
openSUSE-SU-2020:1675-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1177561,1177562
CVE References: CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    phpMyAdmin-4.9.6-lp152.2.3.1
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.6-lp151.2.18.1
openSUSE Backports SLE-15-SP2 (src):    phpMyAdmin-4.9.6-bp152.2.3.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.6-bp151.3.18.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.6-46.1
Comment 14 Andreas Stieger 2020-10-18 09:34:25 UTC
done
Comment 15 OBSbugzilla Bot 2020-10-21 17:30:27 UTC
This is an autogenerated message for OBS integration:
This bug (1177561) was mentioned in
https://build.opensuse.org/request/show/843257 15.1+Backports:SLE-12+Backports:SLE-15+Backports:SLE-15-SP1 / phpMyAdmin
Comment 16 Swamp Workflow Management 2020-11-01 17:15:51 UTC
openSUSE-SU-2020:1806-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1167335,1167336,1167337,1177561,1177562,1177842
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804,CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.7-lp151.2.24.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.7-bp151.3.24.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.7-bp150.43.1
Comment 17 Swamp Workflow Management 2020-11-01 17:17:19 UTC
openSUSE-SU-2020:1806-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1167335,1167336,1167337,1177561,1177562,1177842
CVE References: CVE-2020-10802,CVE-2020-10803,CVE-2020-10804,CVE-2020-26934,CVE-2020-26935
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    phpMyAdmin-4.9.7-lp151.2.24.1
openSUSE Backports SLE-15-SP1 (src):    phpMyAdmin-4.9.7-bp151.3.24.1
openSUSE Backports SLE-15 (src):    phpMyAdmin-4.9.7-bp150.43.1
SUSE Package Hub for SUSE Linux Enterprise 12 (src):    phpMyAdmin-4.9.7-52.1