[ubuntu/bionic-updates] phpmyadmin 4:4.6.6-5ubuntu0.5 (Accepted)

Ubuntu Archive Robot cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk
Thu Nov 19 14:28:08 UTC 2020 

phpmyadmin (4:4.6.6-5ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting (XSS)
    - debian/patches/CVE-2020-26934.patch: make sure where_clause is not
      modified
    - debian/patches/fix-tests-for-CVE-2020-26934-and-CVE-2020-26935.patch:
      Fix failing tests
    - debian/patches/CVE-2018-7260.patch: Fix XSS vulnerability in central
      columns feature
    - debian/patches/CVE-2018-19970.patch: Fix stored Cross-Site Scripting
      (XSS) in navigation tree.
    - CVE-2020-26934
    - CVE-2018-7260
    - CVE-2018-19970
  * SECURITY UPDATE: Cross-site request forgery (CSRF)
    - debian/patches/CVE-2019-12616.patch: Retrieve parameters from $_POST
      in AuthenticationCookie.
    - debian/patches/fix-tests-for-CVE-2019-12616.patch: Fix tests for
      CVE-2019-12616
  * SECURITY UPDATE: SQL Injection
    - debian/patches/CVE-2020-26935.patch: Check where clause signature in
      TableSearchController
    - debian/patches/CVE-2019-6798.patch: SQL injection in Designer
    - debian/patches/CVE-2019-11768.patch: Fix escape database name when
      saving page on designer.
    - debian/patches/CVE-2020-5504.patch: escape username in the query
    - debian/patches/CVE-2020-10804: escape username, password, and hostname
    - debian/patches/CVE-2020-10802: Use Util::backquote in getDataRowAction
    - debian/patches/CVE-2020-10803: Add where_clause check in
      tbl_get_field.php
    - debian/patches/fix-tests-for-CVE-2020-10803.patch: Fix
      Display/ResultsTest errors
    - CVE-2020-26935
    - CVE-2019-6798
    - CVE-2019-11768
    - CVE-2020-5504
    - CVE-2020-10804
    - CVE-2020-10802
    - CVE-2020-10803
  * SECURITY UPDATE: Sensitive information exposure
    - debian/patches/CVE-2018-19968.patch: Remove transform plugin includes
    - debian/patches/CVE-2019-6799.patch: Prevent arbitrary file read by
      the webserver
    - CVE-2018-19968
    - CVE-2019-6799
  * FTBFS: PHPUnit namespace discrepancy
    - debian/patches/fix-tests-bionic.patch: The version of PHPUnit packaged
      with bionic is not compatible with these unit tests. Some minor namespace
      tweaks were needed in order to get the test suite to run. One test case
      provided by rulesProvider for testAddRules() was disabled.

Date: 2020-11-19 13:23:10.644745+00:00
Changed-By: Mike Salvatore <mike.salvatore at canonical.com>
Signed-By: Ubuntu Archive Robot <cjwatson+ubuntu-archive-robot at chiark.greenend.org.uk>
https://launchpad.net/ubuntu/+source/phpmyadmin/4:4.6.6-5ubuntu0.5
-------------- next part --------------
Sorry, changesfile not available.

More information about the Bionic-changes mailing list