Ubuntu
phpmyadmin package

Is CVE-2019-6799 applied already?

Asked by L-reimann

Hi,

I wanted to ask if https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6799.html

which patch status "needed" is already applied to package phpmyadmin.

The changelog for the package states, that the last update was

phpmyadmin (4:4.6.6-5) unstable; urgency=medium

  * Add alternate dependency to php-mysqli. This seems to help in case people
    are using the package with other than default PHP.
  * Debconf translations update (Ukrainian, Portuguese, Kabyle and French).
  * Fix open_basedir setting for PHP 7 (Closes: #867882).

 -- Michal Čihař <email address hidden> Mon, 10 Jul 2017 12:43:06 +0200

Thanks for your feedback,
LR

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu phpmyadmin Edit question
Assignee:
No assignee Edit question
Solved by:
Manfred Hampl
Solved:
Last query:
Last reply:
Revision history for this message
L-reimann (l-reimann) said : 		#1

Same with https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-6798.html

Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#2

What are you using PHPMyAdmin to achieve please? There may be an easier or better tool to achieve your goals.

Revision history for this message
Manfred Hampl (m-hampl) said : 		#3

On https://people.canonical.com/~ubuntu-security/cve/pkg/phpmyadmin.html you see the full list of CVEs for phpmyadmin and their status.

If the status is marked as "needed", then the problem has not been solved yet.

Revision history for this message
L-reimann (l-reimann) said : 		#4

Manfred, thank you for your reply.

Imho, the package currently is a security risk with no upstream patch applied.

Does someone usually take care of this or is the patching out of scope for 18.04 LTS?

Revision history for this message
Best Manfred Hampl (m-hampl) said : 		#5

There are four groups for software in the Ubuntu repositories:
The four main repositories are:
1.Main - Canonical-supported free and open-source software.
2.Universe - Community-maintained free and open-source software.
3.Restricted - Proprietary drivers for devices.
4.Multiverse - Software restricted by copyright or legal issues.
(see https://help.ubuntu.com/community/Repositories/Ubuntu )

phpmyadmin is in the "universe" category, i.e. it does not get full support by Canonical, but is maintained by the user community.

It's now necessary that some enthusiast collects the patches for correcting the vulnerabilities and creates an updated package. This is not a problem specific to Ubuntu 18.04 bionic, but valid also for the other supported Ubuntu releases.

Revision history for this message
L-reimann (l-reimann) said : 		#6

Thanks Manfred Hampl, that solved my question.