[ubuntu/bionic-security] phpmyadmin 4:4.6.6-5ubuntu0.5 (Accepted)
Mike Salvatore
mike.salvatore at canonical.com
Thu Nov 19 13:40:34 UTC 2020
phpmyadmin (4:4.6.6-5ubuntu0.5) bionic-security; urgency=medium
* SECURITY UPDATE: Cross-site scripting (XSS)
- debian/patches/CVE-2020-26934.patch: make sure where_clause is not
modified
- debian/patches/fix-tests-for-CVE-2020-26934-and-CVE-2020-26935.patch:
Fix failing tests
- debian/patches/CVE-2018-7260.patch: Fix XSS vulnerability in central
columns feature
- debian/patches/CVE-2018-19970.patch: Fix stored Cross-Site Scripting
(XSS) in navigation tree.
- CVE-2020-26934
- CVE-2018-7260
- CVE-2018-19970
* SECURITY UPDATE: Cross-site request forgery (CSRF)
- debian/patches/CVE-2019-12616.patch: Retrieve parameters from $_POST
in AuthenticationCookie.
- debian/patches/fix-tests-for-CVE-2019-12616.patch: Fix tests for
CVE-2019-12616
* SECURITY UPDATE: SQL Injection
- debian/patches/CVE-2020-26935.patch: Check where clause signature in
TableSearchController
- debian/patches/CVE-2019-6798.patch: SQL injection in Designer
- debian/patches/CVE-2019-11768.patch: Fix escape database name when
saving page on designer.
- debian/patches/CVE-2020-5504.patch: escape username in the query
- debian/patches/CVE-2020-10804: escape username, password, and hostname
- debian/patches/CVE-2020-10802: Use Util::backquote in getDataRowAction
- debian/patches/CVE-2020-10803: Add where_clause check in
tbl_get_field.php
- debian/patches/fix-tests-for-CVE-2020-10803.patch: Fix
Display/ResultsTest errors
- CVE-2020-26935
- CVE-2019-6798
- CVE-2019-11768
- CVE-2020-5504
- CVE-2020-10804
- CVE-2020-10802
- CVE-2020-10803
* SECURITY UPDATE: Sensitive information exposure
- debian/patches/CVE-2018-19968.patch: Remove transform plugin includes
- debian/patches/CVE-2019-6799.patch: Prevent arbitrary file read by
the webserver
- CVE-2018-19968
- CVE-2019-6799
* FTBFS: PHPUnit namespace discrepancy
- debian/patches/fix-tests-bionic.patch: The version of PHPUnit packaged
with bionic is not compatible with these unit tests. Some minor namespace
tweaks were needed in order to get the test suite to run. One test case
provided by rulesProvider for testAddRules() was disabled.
Date: 2020-11-19 13:23:10.644745+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
https://launchpad.net/ubuntu/+source/phpmyadmin/4:4.6.6-5ubuntu0.5
-------------- next part --------------
Sorry, changesfile not available.
More information about the Bionic-changes
mailing list