[Bug 306699] Re: please sync phpmyadmin for intrepid with 4:2.11.8.1-5 from debian stable
Launchpad Bug Tracker
306699 at bugs.launchpad.net
Mon Jul 6 17:19:46 UTC 2009
This bug was fixed in the package phpmyadmin - 4:2.11.3-1ubuntu1.2
---------------
phpmyadmin (4:2.11.3-1ubuntu1.2) hardy-security; urgency=low
[ Jonathan Davies ]
* SECURITY UPDATE: Insufficient output sanitizing when generating
configuration file (LP: #387215).
- debian/patches/053_CVE-2009-1151.dpatch: Added. Do not output unescaped
chars to generated configuration file. Patch from upstream SVN revision
12301.
- References:
+ CVE-2009-1151
+ PMASA-2009-3
[ Marc Deslauriers ]
* SECURITY UPDATE: authorization bypass via cross-site request forgery
- debian/patches/054_CVE-2008-3197.dpatch: use a token in index.php,
js/querywindow.js and libraries/footer.inc.php. Use a "new_db"
parameter in db_create.php, libraries/common.inc.php and
libraries/display_create_database.lib.php.
- CVE-2008-3197
* SECURITY UPDATE: spoofing or fishing via cross-site framing attack
(LP: #259839)
- debian/patches/055_CVE-2008-3456.dpatch: Introduce new
AllowThirdPartyFraming configuration boolean that allows phpMyAdmin
to be included from a document located on another domain.
- CVE-2008-3456
* SECURITY UPDATE: code injection via cross-site scripting in setup.php
(LP: #259839)
- debian/patches/056_CVE-2008-3457.dpatch: clean $val[1] in
scripts/setup.php.
- CVE-2008-3457
* SECURITY UPDATE: remote code execution via PHP sequences in sort_by
parameter
- debian/patches/057_CVE-2008-4096.dpatch: add new
PMA_usort_comparison_callback in libraries/database_interface.lib.php
- CVE-2008-4096
* SECURITY UPDATE: cross-site scripting via NUL byte
- debian/patches/058_CVE-2008-4326.dpatch: remove NUL bytes in
libraries/js_escape.lib.php.
- CVE-2008-4326
* SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
register_globals is enabled
- debian/patches/059_CVE-2008-4775.dpatch: use
PMA_generate_common_hidden_inputs in pmd_pdf.php.
- CVE-2008-4775
* SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
- debian/patches/060_CVE-2008-5621.dpatch: use PMA_backquote instead of
PMA_sqlAddslashes in libraries/db_table_exists.lib.php.
- CVE-2008-5621
* SECURITY UPDATE: code injection via multiple cross-site scripting
vulnerabilities in display_export.lib.php
- debian/patches/061_CVE-2009-1150.dpatch: strip special chars in
libraries/display_export.lib.php.
- CVE-2009-1150
-- Marc Deslauriers <marc.deslauriers at ubuntu.com> Sun, 05 Jul 2009
11:29:29 -0400
** Changed in: phpmyadmin (Ubuntu)
Status: Confirmed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3197
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3456
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-3457
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-4096
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-4326
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2008-4775
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1150
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2009-1151
--
please sync phpmyadmin for intrepid with 4:2.11.8.1-5 from debian stable
https://bugs.launchpad.net/bugs/306699
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list