Re: PMASA-2005-6 when "register_globals = on"
Neil McGovern wrote:
> On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote:
> > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports
> > that sarge's phpmyadmin package has a security flaw which is occured only if
> > "register_globals = on" setting is used.
> >
> > This feature is disabled in Debian package by default so I doubt if this is
> > serious problem. I'd like to ask if I should prepare the new package for
> > sarge or not?
> >
>
> According to the advisory, all versions < 2.6.4-pl4 are affected
> (2.7.0-beta1 from the development schema).
>
> This would mean that this affects sid and etch too. Has a bug been
> filed/a CVE number assigned for this?
I don't know of one. We may have to go without one for the moment.
Also, a second issue has just popped up:
http://www.fitsec.com/advisories/FS-05-02.txt
I'd be glad if you could provide patches and packages for
both issues.
(both because in the second the path disclosure is bogus for
us since dpkg -c will disclose the path as well).
Regards,
Joey
--
The only stupid question is the unasked one.
Please always Cc to me when replying to me on the lists.
Reply to: