Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Hi,
Please unblock package phpmyadmin: it fixes two cross site scripting issues
and nothing else. The diff to db_structure.js may be a bit hard to read, but
it adds escapeHTML() calls to two parameters.
unblock phpmyadmin/4:3.4.11.1-1
Thanks,
Thijs
Title: phpMyAdmin 3.4.11 - Documentation
diff -Nru phpmyadmin-3.4.11/ChangeLog phpmyadmin-3.4.11.1/ChangeLog
--- phpmyadmin-3.4.11/ChangeLog 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/ChangeLog 2012-08-12 13:38:18.000000000 +0000
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================
+3.4.11.1 (2012-08-12)
+- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
+
3.4.11.0 (2012-04-14)
- bug #3486970 [import] Exception on XML import
- bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in navigation
diff -Nru phpmyadmin-3.4.11/Documentation.html phpmyadmin-3.4.11.1/Documentation.html
--- phpmyadmin-3.4.11/Documentation.html 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/Documentation.html 2012-08-12 13:38:18.000000000 +0000
@@ -9,7 +9,7 @@
-
+ phpMyAdmin 3.4.11.1 - Documentation
@@ -17,7 +17,7 @@
diff -Nru phpmyadmin-3.4.11/Documentation.txt phpmyadmin-3.4.11.1/Documentation.txt
--- phpmyadmin-3.4.11/Documentation.txt 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/Documentation.txt 2012-08-12 13:38:18.000000000 +0000
@@ -1,4 +1,4 @@
-phpMyAdmin 3.4.11 Documentation
+phpMyAdmin 3.4.11.1 Documentation
* Top
* Requirements
diff -Nru phpmyadmin-3.4.11/README phpmyadmin-3.4.11.1/README
--- phpmyadmin-3.4.11/README 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/README 2012-08-12 13:38:18.000000000 +0000
@@ -1,7 +1,7 @@
phpMyAdmin - Readme
===================
-Version 3.4.11
+Version 3.4.11.1
A set of PHP-scripts to manage MySQL over the web.
diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11
--- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11 1970-01-01 00:00:00.000000000 +0000
@@ -1 +0,0 @@
-Sat Apr 14 11:41:12 UTC 2012
diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1
--- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 1970-01-01 00:00:00.000000000 +0000
+++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1 2012-08-12 13:38:18.000000000 +0000
@@ -0,0 +1 @@
+Sun Aug 12 13:37:09 UTC 2012
diff -Nru phpmyadmin-3.4.11/debian/changelog phpmyadmin-3.4.11.1/debian/changelog
--- phpmyadmin-3.4.11/debian/changelog 2012-04-18 10:28:38.000000000 +0000
+++ phpmyadmin-3.4.11.1/debian/changelog 2012-08-13 13:25:51.000000000 +0000
@@ -1,3 +1,10 @@
+phpmyadmin (4:3.4.11.1-1) unstable; urgency=high
+
+ * New upstream security release.
+ - Fixes cross site scripting [PMASA-2012-4].
+
+ -- Thijs Kinkhorst Mon, 13 Aug 2012 13:24:09 +0000
+
phpmyadmin (4:3.4.11-1) unstable; urgency=low
* New upstream release.
diff -Nru phpmyadmin-3.4.11/js/db_structure.js phpmyadmin-3.4.11.1/js/db_structure.js
--- phpmyadmin-3.4.11/js/db_structure.js 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/js/db_structure.js 2012-08-12 13:38:18.000000000 +0000
@@ -1,6 +1,6 @@
function PMA_adjustTotals(a){var b=a.closest("tr");a=b.find(".tbl_rows");var d=b.find(".tbl_size");b=parseInt(a.text());a.text("0");d.text("-");if(!isNaN(b)){$total_rows_td=$("#tbl_summary_row").find(".tbl_rows");a=parseInt($total_rows_td.text());isNaN(a)||$total_rows_td.text(a-b)}a=$("#tbl_summary_row").find(".tbl_size");a.text(a.text().replace(/^/,"~"))}
-$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a="TRUNCATE "+b.parents("tr").children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+
-" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a="DROP TABLE "+d.children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+
+$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a=b.parents("tr").children("th").children("a").text();a="TRUNCATE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+
+" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a=d.children("th").children("a").text();a="DROP TABLE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+
" : "+e.error)})})});$(".drop_event_anchor").live("click",function(a){a.preventDefault();var b=$(this).parents("tr");a="DROP EVENT "+$(b).children("td:first").text();$(this).PMA_confirm(a,$(this).attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDroppingEvent);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$(".drop_procedure_anchor").live("click",
function(a){a.preventDefault();a=$(this).parents("tr");a=$(a).children("td").children(".drop_procedure_sql").val();$(this).PMA_confirm(a,$(this).attr("href"),function(b){PMA_ajaxShowMessage(PMA_messages.strDroppingProcedure);$.get(b,{is_js_confirmed:1,ajax_request:true},function(d){if(d.success==true){PMA_ajaxShowMessage(d.message);$(curr_event_row).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+d.error)})})});$(".drop_tracking_anchor").live("click",
function(a){a.preventDefault();a=$(this);var b=a.parents("tr");a.PMA_confirm(PMA_messages.strDeleteTrackingData,a.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDeletingTrackingData);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$("#real_end_input").live("click",function(a){a.preventDefault();a=PMA_messages.strOperationTakesLongTime;
diff -Nru phpmyadmin-3.4.11/libraries/Config.class.php phpmyadmin-3.4.11.1/libraries/Config.class.php
--- phpmyadmin-3.4.11/libraries/Config.class.php 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/libraries/Config.class.php 2012-08-12 13:38:18.000000000 +0000
@@ -96,7 +96,7 @@
*/
function checkSystem()
{
- $this->set('PMA_VERSION', '3.4.11');
+ $this->set('PMA_VERSION', '3.4.11.1');
/**
* @deprecated
*/
diff -Nru phpmyadmin-3.4.11/tbl_create.php phpmyadmin-3.4.11.1/tbl_create.php
--- phpmyadmin-3.4.11/tbl_create.php 2012-04-14 11:42:20.000000000 +0000
+++ phpmyadmin-3.4.11.1/tbl_create.php 2012-08-12 13:38:18.000000000 +0000
@@ -287,7 +287,9 @@
$new_table_string .= ' | ' . "\n";
$new_table_string .= '';
- $new_table_string .= ''. $table . '';
+ $new_table_string .= ''
+ . htmlspecialchars($table) . '';
if (PMA_Tracker::isActive()) {
$truename = str_replace(' ', ' ', htmlspecialchars($table));
Reply to:
|