ports/163528: [maintainer] databases/phpmyadmin -- security update to 3.4.9
Matthew Seaman
m.seaman at infracaninophile.co.uk
Thu Dec 22 11:10:09 UTC 2011
>Number: 163528
>Category: ports
>Synopsis: [maintainer] databases/phpmyadmin -- security update to 3.4.9
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 22 11:10:07 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 8.2-STABLE amd64
>Organization:
Infracaninophile
>Environment:
System: FreeBSD lucid-nonsense.infracaninophile.co.uk 8.2-STABLE FreeBSD 8.2-STABLE #24 r227991: Sat Nov 26 13:33:22 GMT 2011 root at lucid-nonsense.infracaninophile.co.uk:/usr/obj/usr/src/sys/LUCID-NONSENSE amd64
>Description:
Hopefully for the last time this year:
This is the formal release of the fix for these securty
vulnerabilities. However the code is identical to the quick-reaction
patches in 3.4.9-rc1 other than updating the version number.
Security advisories have now been published:
http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php
http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php
CVE Numbers:
CVE-2011-4782
CVE-2011-4780
Release Notes:
Welcome to phpMyAdmin 3.4.9, a bugfix release with minor security corrections.
3.4.9.0 (2011-12-21)
- bug #3442028 [edit] Inline editing enum fields with null shows no dropdown
- bug #3442004 [interface] DB suggestion not correct for user with underscore
- bug #3438420 [core] Magic quotes removed in PHP 5.4
- bug #3398788 [session] No feedback when result is empty (signon auth_type)
- bug #3384035 [display] Problems regarding ShowTooltipAliasTB
- bug #3306875 [edit] Can't rename a database that contains views
- bug #3452506 [edit] Unable to move tables with triggers
- bug #3449659 [navi] Fast filter broken with table tree
- bug #3448485 [GUI] Firefox favicon frameset regression
- [core] Better compatibility with mysql extension
- [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20
- [security] Self-XSS in setup (host parameter), see PMASA-2011-19
http://sourceforge.net/projects/phpmyadmin/files%2FphpMyAdmin%2F3.4.9%2FphpMyAdmin-3.4.9-notes.html/view
>How-To-Repeat:
>Fix:
--- phpmyadmin.diff begins here ---
Index: Makefile
===================================================================
RCS file: /home/ncvs/ports/databases/phpmyadmin/Makefile,v
retrieving revision 1.150
diff -u -u -r1.150 Makefile
--- Makefile 16 Dec 2011 01:43:54 -0000 1.150
+++ Makefile 22 Dec 2011 10:25:43 -0000
@@ -6,7 +6,7 @@
#
PORTNAME= phpMyAdmin
-DISTVERSION= 3.4.9-rc1
+DISTVERSION= 3.4.9
CATEGORIES= databases www
MASTER_SITES= SF/${PORTNAME:L}/${PORTNAME}/${DISTVERSION}
DISTNAME= ${PORTNAME}-${DISTVERSION}-all-languages
Index: distinfo
===================================================================
RCS file: /home/ncvs/ports/databases/phpmyadmin/distinfo,v
retrieving revision 1.126
diff -u -u -r1.126 distinfo
--- distinfo 16 Dec 2011 01:43:54 -0000 1.126
+++ distinfo 22 Dec 2011 10:25:43 -0000
@@ -1,2 +1,2 @@
-SHA256 (phpMyAdmin-3.4.9-rc1-all-languages.tar.xz) = c005a3880f38e9d20809b2592b5fe108d11fc56bdf4cf666db5e07447ae40096
-SIZE (phpMyAdmin-3.4.9-rc1-all-languages.tar.xz) = 3639524
\ No newline at end of file
+SHA256 (phpMyAdmin-3.4.9-all-languages.tar.xz) = b7bceab1d9a6a8d2658e9739f848248faa8aefd945c9f5b33522a00b201363ba
+SIZE (phpMyAdmin-3.4.9-all-languages.tar.xz) = 3640512
--- phpmyadmin.diff ends here ---
--- vuxml.diff begins here ---
Index: vuln.xml
===================================================================
RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v
retrieving revision 1.2522
diff -u -u -r1.2522 vuln.xml
--- vuln.xml 21 Dec 2011 12:40:43 -0000 1.2522
+++ vuln.xml 22 Dec 2011 10:38:36 -0000
@@ -47,6 +47,42 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="8d2274e1-2c87-11e1-b2a3-e0cb4e266481">
+ <topic>phpMyAdmin -- Two XSS vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>phpMyAdmin</name>
+ <range><gt>3.4</gt><lt>3.4.9.r1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>The phpMyAdmin development team reports:</p>
+ <blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php">
+ <p>Crafted values entered in the setup interface can produce
+ XSS; also, if the config directory exists and is writeable,
+ the XSS payload can be saved to this directory.</p>
+ </blockquote>
+
+ <blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php">
+ <p>Using crafted url parameters, it was possible to produce
+ XSS on the export panels in the server, database and table
+ sections.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2011-4782</cvename>
+ <cvename>CVE-2011-4780</cvename>
+ <url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php</url>
+ <url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php</url>
+ </references>
+ <dates>
+ <discovery>2011-12-14</discovery>
+ <entry>2011-12-22</entry>
+ </dates>
+ </vuln>
+
<vuln vid="e3ff776b-2ba6-11e1-93c6-0011856a6e37">
<topic>mozilla -- multiple vulnerabilities</topic>
<affects>
--- vuxml.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list