Control: tags -1 + moreinfo
On 2019-11-06 11:23, Felipe Sateler wrote:
> This update fixes several security issues, plus an important bug.
> Additionally we fix the metadata reflecting the maintainership change.
>
> Here is the changelog, with debdiff attached.
>
> phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
>
> [ Matthias Blümel ]
> * Several security fixes
> - Cross-site scripting (XSS) vulnerability in
> db_central_columns.php
> (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
> - Remove transformation plugin includes
> (PMASA-2018-6, CVE-2018-19968)
> - Fix Stored Cross-Site Scripting (XSS) in navigation tree
> (PMASA-2018-8, CVE-2018-19970)
> - Fix information leak (arbitrary file read) using SQL queries
> (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
> - a specially crafted username can be used to trigger a SQL
> injection attack
> (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
> - SQL injection in Designer feature
> (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
> - CSRF vulnerability in login form
> (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
According to the BTS and Security Tracker, at least some of these issues
affect the package in unstable and aren't currently fixed there. Is that
correct?
Yes, it is correct. This is because in unstable we are aiming for version 4.9, but we are waiting on some NEW packages for that upload to happen.