[ Jonathan Davies ]
* SECURITY UPDATE: Insufficient output sanitizing when generating
configuration file (LP: #387215).
- debian/patches/053_CVE-2009-1151.dpatch: Added. Do not output unescaped
chars to generated configuration file. Patch from upstream SVN revision
12301.
- References:
+ CVE-2009-1151
+ PMASA-2009-3
[ Marc Deslauriers ]
* SECURITY UPDATE: authorization bypass via cross-site request forgery
- debian/patches/054_CVE-2008-3197.dpatch: use a token in index.php,
js/querywindow.js and libraries/footer.inc.php. Use a "new_db"
parameter in db_create.php, libraries/common.inc.php and
libraries/display_create_database.lib.php.
- CVE-2008-3197
* SECURITY UPDATE: spoofing or fishing via cross-site framing attack
(LP: #259839)
- debian/patches/055_CVE-2008-3456.dpatch: Introduce new
AllowThirdPartyFraming configuration boolean that allows phpMyAdmin
to be included from a document located on another domain.
- CVE-2008-3456
* SECURITY UPDATE: code injection via cross-site scripting in setup.php
(LP: #259839)
- debian/patches/056_CVE-2008-3457.dpatch: clean $val[1] in
scripts/setup.php.
- CVE-2008-3457
* SECURITY UPDATE: remote code execution via PHP sequences in sort_by
parameter
- debian/patches/057_CVE-2008-4096.dpatch: add new
PMA_usort_comparison_callback in libraries/database_interface.lib.php
- CVE-2008-4096
* SECURITY UPDATE: cross-site scripting via NUL byte
- debian/patches/058_CVE-2008-4326.dpatch: remove NUL bytes in
libraries/js_escape.lib.php.
- CVE-2008-4326
* SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
register_globals is enabled
- debian/patches/059_CVE-2008-4775.dpatch: use
PMA_generate_common_hidden_inputs in pmd_pdf.php.
- CVE-2008-4775
* SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
- debian/patches/060_CVE-2008-5621.dpatch: use PMA_backquote instead of
PMA_sqlAddslashes in libraries/db_table_exists.lib.php.
- CVE-2008-5621
* SECURITY UPDATE: code injection via multiple cross-site scripting
vulnerabilities in display_export.lib.php
- debian/patches/061_CVE-2009-1150.dpatch: strip special chars in
libraries/display_export.lib.php.
- CVE-2009-1150
This bug was fixed in the package phpmyadmin - 4:2.11.3-1ubuntu1.2
--------------- 3-1ubuntu1. 2) hardy-security; urgency=low
phpmyadmin (4:2.11.
[ Jonathan Davies ] patches/ 053_CVE- 2009-1151. dpatch: Added. Do not output unescaped
* SECURITY UPDATE: Insufficient output sanitizing when generating
configuration file (LP: #387215).
- debian/
chars to generated configuration file. Patch from upstream SVN revision
12301.
- References:
+ CVE-2009-1151
+ PMASA-2009-3
[ Marc Deslauriers ] patches/ 054_CVE- 2008-3197. dpatch: use a token in index.php, querywindow. js and libraries/ footer. inc.php. Use a "new_db" common. inc.php and /display_ create_ database. lib.php. patches/ 055_CVE- 2008-3456. dpatch: Introduce new dPartyFraming configuration boolean that allows phpMyAdmin patches/ 056_CVE- 2008-3457. dpatch: clean $val[1] in setup.php. patches/ 057_CVE- 2008-4096. dpatch: add new usort_compariso n_callback in libraries/ database_ interface. lib.php patches/ 058_CVE- 2008-4326. dpatch: remove NUL bytes in /js_escape. lib.php. globals is enabled patches/ 059_CVE- 2008-4775. dpatch: use generate_ common_ hidden_ inputs in pmd_pdf.php. patches/ 060_CVE- 2008-5621. dpatch: use PMA_backquote instead of sqlAddslashes in libraries/ db_table_ exists. lib.php. export. lib.php patches/ 061_CVE- 2009-1150. dpatch: strip special chars in /display_ export. lib.php.
* SECURITY UPDATE: authorization bypass via cross-site request forgery
- debian/
js/
parameter in db_create.php, libraries/
libraries
- CVE-2008-3197
* SECURITY UPDATE: spoofing or fishing via cross-site framing attack
(LP: #259839)
- debian/
AllowThir
to be included from a document located on another domain.
- CVE-2008-3456
* SECURITY UPDATE: code injection via cross-site scripting in setup.php
(LP: #259839)
- debian/
scripts/
- CVE-2008-3457
* SECURITY UPDATE: remote code execution via PHP sequences in sort_by
parameter
- debian/
PMA_
- CVE-2008-4096
* SECURITY UPDATE: cross-site scripting via NUL byte
- debian/
libraries
- CVE-2008-4326
* SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
register_
- debian/
PMA_
- CVE-2008-4775
* SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
- debian/
PMA_
- CVE-2008-5621
* SECURITY UPDATE: code injection via multiple cross-site scripting
vulnerabilities in display_
- debian/
libraries
- CVE-2009-1150
-- Marc Deslauriers <email address hidden> Sun, 05 Jul 2009 11:29:29 -0400