openSUSE-SU-2023:0047-1

See a problem?
Import Source
https://ftp.suse.com/pub/projects/security/osv/openSUSE-SU-2023:0047-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/openSUSE-SU-2023:0047-1
Related
Published
2023-02-15T10:21:02Z
Modified
2023-02-15T10:21:02Z
Summary
Security update for phpMyAdmin
Details

This update for phpMyAdmin fixes the following issues:

phpMyAdmin was updated to 5.2.1

This is a security and bufix release.

  • Security:

    • Fix (PMASA-2023-01, CWE-661, boo#1208186, CVE-2023-25727) Fix an XSS attack through the drag-and-drop upload feature.
  • Bugfixes:

    • issue #17522 Fix case where the routes cache file is invalid
    • issue #17506 Fix error when configuring 2FA without XMLWriter or Imagick
    • issue Fix blank page when some error occurs
    • issue #17519 Fix Export pages not working in certain conditions
    • issue #17496 Fix error in table operation page when partitions are broken
    • issue #17386 Fix system memory and system swap values on Windows
    • issue #17517 Fix Database Server panel not getting hidden by ShowServerInfo configuration directive
    • issue #17271 Fix database names not showing on Processes tab
    • issue #17424 Fix export limit size calculation
    • issue #17366 Fix refresh rate popup on Monitor page
    • issue #17577 Fix monitor charts size on RTL languages
    • issue #17121 Fix password_hash function incorrectly adding single quotes to password before hashing
    • issue #17586 Fix statistics not showing for empty databases
    • issue #17592 Clicking on the New index link on the sidebar does not throw an error anymore
    • issue #17584 It's now possible to browse a database that includes two % in its name
    • issue Fix PHP 8.2 deprecated string interpolation syntax
    • issue Some languages are now correctly detected from the HTTP header
    • issue #17617 Sorting is correctly remembered when $cfg['RememberSorting'] is true
    • issue #17593 Table filtering now works when action buttons are on the right side of the row
    • issue #17388 Find and Replace using regex now makes a valid query if no matching result set found
    • issue #17551 Enum/Set editor will not fail to open when creating a new column
    • issue #17659 Fix error when a database group is named tables, views, functions, procedures or events
    • issue #17673 Allow empty values to be inserted into columns
    • issue #17620 Fix error handling at phpMyAdmin startup for the JS SQL console
    • issue Fixed debug queries console broken UI for query time and group count
    • issue Fixed escaping of SQL query and errors for the debug console
    • issue Fix console toolbar UI when the bookmark feature is disabled and sql debug is enabled
    • issue #17543 Fix JS error on saving a new designer page
    • issue #17546 Fix JS error after using save as and open page operation on the designer
    • issue Fix PHP warning on GIS visualization when there is only one GIS column
    • issue #17728 Some select HTML tags will now have the correct UI style
    • issue #17734 PHP deprecations will only be shown when in a development environment
    • issue #17369 Fix server error when blowfish_secret is not exactly 32 bytes long
    • issue #17736 Add utf8mb3 as an alias of utf8 on the charset description page
    • issue #16418 Fix FAQ 1.44 about manually removing vendor folders
    • issue #12359 Setup page now sends the Content-Security-Policy headers
    • issue #17747 The Column Visibility Toggle will not be hidden by other elements
    • issue #17756 Edit/Copy/Delete row now works when using GROUP BY
    • issue #17248 Support the UUID data type for MariaDB >= 10.7
    • issue #17656 Fix replace/change/set table prefix is not working
    • issue Fix monitor page filter queries only filtering the first row
    • issue Fix 'Link not found!' on foreign columns for tables having no char column to show
    • issue #17390 Fix 'Create view' modal doesn't show on results and empty results
    • issue #17772 Fix wrong styles for add button from central columns
    • issue #17389 Fix HTML disappears when exporting settings to browser's storage
    • issue #17166 Fix 'Warning: #1287 'X' is deprecated [...] Please use ST_X instead.' on search page
    • issue Use jquery-migrate.min.js (14KB) instead of jquery-migrate.min.js (31KB)
    • issue #17842 Use jquery.validate.min.js (24 KB) instead of jquery.validate.js (50 KB)
    • issue #17281 Fix links to databases for information_schema.SCHEMATA
    • issue #17553 Fix Metro theme unreadable links above navigation tree
    • issue #17553 Metro theme UI fixes and improvements
    • issue #17553 Fix Metro theme login form with
    • issue #16042 Exported gzip file of database has first ~73 kB uncompressed and rest is gzip compressed in Firefox
    • issue #17705 Fix inline SQL query edit FK checkbox preventing submit buttons from working
    • issue #17777 Fix Uncaught TypeError: Cannot read properties of null (reading 'inline') on datepickers when re-opened
    • issue Fix Original theme buttons style and login form width
    • issue #17892 Fix closing index edit modal and reopening causes it to fire twice
    • issue #17606 Fix preview SQL modal not working inside 'Add Index' modal
    • issue Fix PHP error on adding new column on create table form
    • issue #17482 Default to 'Full texts' when running explain statements
    • issue Fixed Chrome scrolling performance issue on a textarea of an 'export as text' page
    • issue #17703 Fix datepicker appears on all fields, not just date
    • issue Fix space in the tree line when a DB is expanded
    • issue #17340 Fix 'New Table' page -> 'VIRTUAL' attribute is lost when adding a new column
    • issue #17446 Fix missing option for STORED virtual column on MySQL and PERSISTENT is not supported on MySQL
    • issue #17446 Lower the check for virtual columns to MySQL>=5.7.6 nothing is supported on 5.7.5
    • issue Fix column names option for CSV Export
    • issue #17177 Fix preview SQL when reordering columns doesn't work on move columns
    • issue #15887 Fixed DROP TABLE errors ignored on multi table select for DROP
    • issue #17944 Fix unable to create a view from tree view button
    • issue #17927 Fix key navigation between select inputs (drop an old Firefox workaround)
    • issue #17967 Fix missing icon for collapse all button
    • issue #18006 Fixed UUID columns can't be moved
    • issue Add spellcheck='false' to all password fields and some text fields to avoid spell-jacking data leaks
    • issue Remove non working 'Analyze Explain at MariaDB.org' button (MariaDB stopped this service)
    • issue #17229 Add support for Web Authentication API because Chrome removed support for the U2F API
    • issue #18019 Fix 'Call to a member function fetchAssoc() on bool' with SQL mode ONLYFULLGROUP_BY on monitor search logs
    • issue Add back UUID and UUID_SHORT to functions on MySQL and all MariaDB versions
    • issue #17398 Fix clicking on JSON columns triggers update query
    • issue Fix silent JSON parse error on upload progress
    • issue #17833 Fix 'Add Parameter' button not working for Add Routine Screen
    • issue #17365 Fixed 'Uncaught Error: regexp too big' on server status variables page

Update to 5.2.0

  • Bugfix

    • issue #16521 Upgrade Bootstrap to version 5
    • issue #16521 Drop support for Internet Explorer and others
    • issue Upgrade to shapefile 3
    • issue #16555 Bump minimum PHP version to 7.2
    • issue Remove the phpseclib dependency
    • issue Upgrade Symfony components to version 5.2
    • issue Upgrade to Motranslator 4
    • issue #16005 Improve the performance of the Export logic
    • issue #16829 Add NOT LIKE %...% operator to Table search
    • issue #16845 Fixed some links not passing through url.php
    • issue #16382 Remove apc upload progress method (all upload progress code was removed from the PHP extension)
    • issue #16974 Replace zxcvbn by zxcvbn-ts
    • issue #15691 Disable the last column checkbox in the column list dropdown instead of not allowing un-check
    • issue #16138 Ignore the length of integer types and show a warning on MySQL >= 8.0.18
    • issue Add support for the Mroonga engine
    • issue Double click column name to directly copy to clipboard
    • issue #16425 Add DELETE FROM table on table operations page
    • issue #16482 Add a select all link for table-specific privileges
    • issue #14276 Add support for account locking
    • issue #17143 Use composer/ca-bundle to manage the CA cert file
    • issue #17143 Require the openssl PHP extension
    • issue #17171 Remove the printview.css file from themes
    • issue #17203 Redesign the export and the import pages
    • issue #16197 Replace the master/slave terminology
    • issue #17257 Replace libraries/vendor_config.php constants with an array
    • issue Add the Bootstrap theme
    • issue #17499 Remove stickyfilljs JavaScript dependency

Update to 5.1.3

This is a security and bufix release.

  • Security

    • Fix for boo#1197036 (CVE-2022-0813)
    • Fix for path disclosure under certain server configurations (if display_errors is on, for instance)
  • Bugfix

    • issue #17308 Fix broken pagination links in the navigation sidebar
    • issue #17331 Fix MariaDB has no support for system variable 'disabledstorageengines'
    • issue #17315 Fix unsupported operand types in Results.php when running 'SHOW PROCESSLIST' SQL query
    • issue #17288 Fixed importing browser settings question box after login when having no pmadb
    • issue #17288 Fix 'First day of calendar' user override has no effect
    • issue #17239 Fixed repeating headers are not working
    • issue #17298 Fixed import of email-adresses or links from ODS results in empty contents
    • issue #17344 Fixed a type error on ODS import with non string values
    • issue #17239 Fixed header row show/hide columns buttons on each line after hover are shown on each row

Update to 5.1.2

This is a security and bufix release.

  • Security

    • Fix boo#1195017 (CVE-2022-23807, PMASA-2022-1, CWE-661) Two factor authentication bypass
    • Fix boo#1195018 (CVE-2022-23808, PMASA-2022-2, CWE-661) Multiple XSS and HTML injection attacks in setup script
  • Bugfixes

    • Revert a changed to $cfg['CharTextareaRows'] allow values less than 7
    • Fix encoding of enum and set values on edit value
    • Fixed possible 'Undefined index: clauseisunique' error
    • Fixed some situations where a user is logged out when working with more than one server
    • Fixed a problem with assigning privileges to a user using the multiselect list when the database name has an underscore
    • Enable cookie parameter 'SameSite' when the PHP version is 7.3 or newer
    • Correctly handle the removal of 'innodbfileformat' in MariaDB and MySQL
References

Affected packages

SUSE:Package Hub 15 SP4 / phpMyAdmin

Package

Name
phpMyAdmin
Purl
pkg:rpm/suse/phpMyAdmin&distro=SUSE%20Package%20Hub%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.1-bp154.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "phpMyAdmin-apache": "5.2.1-bp154.2.3.1",
            "phpMyAdmin-lang": "5.2.1-bp154.2.3.1",
            "phpMyAdmin": "5.2.1-bp154.2.3.1"
        }
    ]
}

openSUSE:Leap 15.4 / phpMyAdmin

Package

Name
phpMyAdmin
Purl
pkg:rpm/opensuse/phpMyAdmin&distro=openSUSE%20Leap%2015.4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.2.1-bp154.2.3.1

Ecosystem specific

{
    "binaries": [
        {
            "phpMyAdmin-apache": "5.2.1-bp154.2.3.1",
            "phpMyAdmin-lang": "5.2.1-bp154.2.3.1",
            "phpMyAdmin": "5.2.1-bp154.2.3.1"
        }
    ]
}