[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#684955: marked as done (unblock: phpmyadmin/4:3.4.11.1-1 (security issue))

Your message dated Wed, 15 Aug 2012 13:53:36 +0100
with message-id <3767996ddd658f7050c4a9b70e994977@mail.adsl.funky-badger.org>
and subject line Re: Bug#684955: unblock: phpmyadmin/4:3.4.11.1-1 (security issue)
has caused the Debian Bug report #684955,
regarding unblock: phpmyadmin/4:3.4.11.1-1 (security issue)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
684955: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=684955
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock


Hi,

Please unblock package phpmyadmin: it fixes two cross site scripting issues
and nothing else. The diff to db_structure.js may be a bit hard to read, but
it adds escapeHTML() calls to two parameters.

unblock phpmyadmin/4:3.4.11.1-1


Thanks,
Thijs
Title: phpMyAdmin 3.4.11 - Documentation
diff -Nru phpmyadmin-3.4.11/ChangeLog phpmyadmin-3.4.11.1/ChangeLog --- phpmyadmin-3.4.11/ChangeLog 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/ChangeLog 2012-08-12 13:38:18.000000000 +0000 @@ -1,6 +1,9 @@ phpMyAdmin - ChangeLog ====================== +3.4.11.1 (2012-08-12) +- [security] Fixed XSS vulnerabilities, see PMASA-2012-4 + 3.4.11.0 (2012-04-14) - bug #3486970 [import] Exception on XML import - bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in navigation diff -Nru phpmyadmin-3.4.11/Documentation.html phpmyadmin-3.4.11.1/Documentation.html --- phpmyadmin-3.4.11/Documentation.html 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/Documentation.html 2012-08-12 13:38:18.000000000 +0000 @@ -9,7 +9,7 @@ - + phpMyAdmin 3.4.11.1 - Documentation @@ -17,7 +17,7 @@ diff -Nru phpmyadmin-3.4.11/Documentation.txt phpmyadmin-3.4.11.1/Documentation.txt --- phpmyadmin-3.4.11/Documentation.txt 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/Documentation.txt 2012-08-12 13:38:18.000000000 +0000 @@ -1,4 +1,4 @@ -phpMyAdmin 3.4.11 Documentation +phpMyAdmin 3.4.11.1 Documentation * Top * Requirements diff -Nru phpmyadmin-3.4.11/README phpmyadmin-3.4.11.1/README --- phpmyadmin-3.4.11/README 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/README 2012-08-12 13:38:18.000000000 +0000 @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.11 +Version 3.4.11.1 A set of PHP-scripts to manage MySQL over the web. diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11 --- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11 1970-01-01 00:00:00.000000000 +0000 @@ -1 +0,0 @@ -Sat Apr 14 11:41:12 UTC 2012 diff -Nru phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1 --- phpmyadmin-3.4.11/RELEASE-DATE-3.4.11.1 1970-01-01 00:00:00.000000000 +0000 +++ phpmyadmin-3.4.11.1/RELEASE-DATE-3.4.11.1 2012-08-12 13:38:18.000000000 +0000 @@ -0,0 +1 @@ +Sun Aug 12 13:37:09 UTC 2012 diff -Nru phpmyadmin-3.4.11/debian/changelog phpmyadmin-3.4.11.1/debian/changelog --- phpmyadmin-3.4.11/debian/changelog 2012-04-18 10:28:38.000000000 +0000 +++ phpmyadmin-3.4.11.1/debian/changelog 2012-08-13 13:25:51.000000000 +0000 @@ -1,3 +1,10 @@ +phpmyadmin (4:3.4.11.1-1) unstable; urgency=high + + * New upstream security release. + - Fixes cross site scripting [PMASA-2012-4]. + + -- Thijs Kinkhorst Mon, 13 Aug 2012 13:24:09 +0000 + phpmyadmin (4:3.4.11-1) unstable; urgency=low * New upstream release. diff -Nru phpmyadmin-3.4.11/js/db_structure.js phpmyadmin-3.4.11.1/js/db_structure.js --- phpmyadmin-3.4.11/js/db_structure.js 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/js/db_structure.js 2012-08-12 13:38:18.000000000 +0000 @@ -1,6 +1,6 @@ function PMA_adjustTotals(a){var b=a.closest("tr");a=b.find(".tbl_rows");var d=b.find(".tbl_size");b=parseInt(a.text());a.text("0");d.text("-");if(!isNaN(b)){$total_rows_td=$("#tbl_summary_row").find(".tbl_rows");a=parseInt($total_rows_td.text());isNaN(a)||$total_rows_td.text(a-b)}a=$("#tbl_summary_row").find(".tbl_size");a.text(a.text().replace(/^/,"~"))} -$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a="TRUNCATE "+b.parents("tr").children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ -" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a="DROP TABLE "+d.children("th").children("a").text();b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ +$(document).ready(function(){$(".truncate_table_anchor").live("click",function(a){a.preventDefault();var b=$(this);a=b.parents("tr").children("th").children("a").text();a="TRUNCATE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);c=b.html().replace(/b_empty.png/,"bd_empty.png");PMA_adjustTotals(b);b.replaceWith(c).removeClass("truncate_table_anchor")}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ +" : "+c.error)})})});$(".drop_table_anchor").live("click",function(a){a.preventDefault();var b=$(this),d=b.parents("tr");a=d.children("th").children("a").text();a="DROP TABLE "+escapeHtml(a);b.PMA_confirm(a,b.attr("href"),function(c){PMA_ajaxShowMessage(PMA_messages.strProcessingRequest);$.get(c,{is_js_confirmed:1,ajax_request:true},function(e){if(e.success==true){PMA_ajaxShowMessage(e.message);PMA_adjustTotals(b);d.hide("medium").remove();window.parent&&window.parent.frame_navigation&&window.parent.frame_navigation.location.reload()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+ " : "+e.error)})})});$(".drop_event_anchor").live("click",function(a){a.preventDefault();var b=$(this).parents("tr");a="DROP EVENT "+$(b).children("td:first").text();$(this).PMA_confirm(a,$(this).attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDroppingEvent);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$(".drop_procedure_anchor").live("click", function(a){a.preventDefault();a=$(this).parents("tr");a=$(a).children("td").children(".drop_procedure_sql").val();$(this).PMA_confirm(a,$(this).attr("href"),function(b){PMA_ajaxShowMessage(PMA_messages.strDroppingProcedure);$.get(b,{is_js_confirmed:1,ajax_request:true},function(d){if(d.success==true){PMA_ajaxShowMessage(d.message);$(curr_event_row).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+d.error)})})});$(".drop_tracking_anchor").live("click", function(a){a.preventDefault();a=$(this);var b=a.parents("tr");a.PMA_confirm(PMA_messages.strDeleteTrackingData,a.attr("href"),function(d){PMA_ajaxShowMessage(PMA_messages.strDeletingTrackingData);$.get(d,{is_js_confirmed:1,ajax_request:true},function(c){if(c.success==true){PMA_ajaxShowMessage(c.message);$(b).hide("medium").remove()}else PMA_ajaxShowMessage(PMA_messages.strErrorProcessingRequest+" : "+c.error)})})});$("#real_end_input").live("click",function(a){a.preventDefault();a=PMA_messages.strOperationTakesLongTime; diff -Nru phpmyadmin-3.4.11/libraries/Config.class.php phpmyadmin-3.4.11.1/libraries/Config.class.php --- phpmyadmin-3.4.11/libraries/Config.class.php 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/libraries/Config.class.php 2012-08-12 13:38:18.000000000 +0000 @@ -96,7 +96,7 @@ */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.11'); + $this->set('PMA_VERSION', '3.4.11.1'); /** * @deprecated */ diff -Nru phpmyadmin-3.4.11/tbl_create.php phpmyadmin-3.4.11.1/tbl_create.php --- phpmyadmin-3.4.11/tbl_create.php 2012-04-14 11:42:20.000000000 +0000 +++ phpmyadmin-3.4.11.1/tbl_create.php 2012-08-12 13:38:18.000000000 +0000 @@ -287,7 +287,9 @@ $new_table_string .= ' ' . "\n"; $new_table_string .= ''; - $new_table_string .= ''. $table . ''; + $new_table_string .= '' + . htmlspecialchars($table) . ''; if (PMA_Tracker::isActive()) { $truename = str_replace(' ', ' ', htmlspecialchars($table));
--- End Message ---
--- Begin Message --- 
On 15.08.2012 06:16, Thijs Kinkhorst wrote:
Please unblock package phpmyadmin: it fixes two cross site scripting issues and nothing else. The diff to db_structure.js may be a bit hard to read, but 
it adds escapeHTML() calls to two parameters.


Unblocked; thanks.

Regards,

Adam

--- End Message ---
Reply to: