Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

["Adam D. Barratt" <adam@adam-barratt.org.uk>]

Control: tags -1 + moreinfo

On 2019-11-06 11:23, Felipe Sateler wrote:
> This update fixes several security issues, plus an important bug.
> Additionally we fix the metadata reflecting the maintainership change.
>
> Here is the changelog, with debdiff attached.
>
> phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
>
>   [ Matthias Blümel ]
>   * Several security fixes
>     - Cross-site scripting (XSS) vulnerability in 
> db_central_columns.php
>       (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
>     - Remove transformation plugin includes
>       (PMASA-2018-6, CVE-2018-19968)
>     - Fix Stored Cross-Site Scripting (XSS) in navigation tree
>       (PMASA-2018-8, CVE-2018-19970)
>     - Fix information leak (arbitrary file read) using SQL queries
>       (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
>     - a specially crafted username can be used to trigger a SQL 
> injection attack
>       (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
>     - SQL injection in Designer feature
>       (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
>     - CSRF vulnerability in login form
>       (PMASA-2019-4, CVE-2019-12616, Closes: #930017)

According to the BTS and Security Tracker, at least some of these issues 
affect the package in unstable and aren't currently fixed there. Is that 
correct?

Regards,

Adam