Ubuntu
phpmyadmin package

pma in Feisty vulnerable against PMASA-2007-2 and PMASA-2007-3

Bug #94891 reported by magilus on 2007-03-22

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	phpmyadmin (Ubuntu)	Fix Released	High	Unassigned

Bug Description

Binary package hint: phpmyadmin

pma in Feisty is vulnerable against PMASA-2007-2 and PMASA-2007-3.

As the phpmyadmin team began to publish patches, we should keep the Feisty phpmyadmin version secure which should be much easier now, see https://sourceforge.net/tracker/?func=detail&atid=377408&aid=1647030&group_id=23067

For PMASA-2007-3, there has been published a patch.

We'd have to extract the PMASA-2007-2 patch.

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

#1

See

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-2

http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3

Changed in phpmyadmin:
assignee:	nobody → pirast
status:	Unconfirmed → Confirmed

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

#2

PMASA-2007-3 patch here: http://sourceforge.net/tracker/download.php?group_id=23067&atid=377408&file_id=218530&aid=1671813

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

#3

from debian/changelog:

+ * Backport security-related changes from 2.9.2-rc1:
+ * CVE-2007-0203: Multiple unspecified vulnerabilities;
+ this turns out to be (1) cross site scripting and
+ (2) the same as CVE-2006-6374. (Closes: #406332, #406486)
+ * CVE-2006-6374: the vulnerability only applies to
+ PHP < 5.1.2 and < 4.4.2, so strictly speaking current
+ Debian is not vulnerable. Include it anyway, to not expose
+ those using older PHP versions. (Closes: #404744)

so PMASA-2007-2 *seems* to be already included with our current version. I'd like to have a second look, though.

Revision history for this message

magilus (magilus) wrote on 2007-03-22:

#4

yup, PMASA-2007-2 already included, preparing updated deb for feisty

Changed in phpmyadmin:
status:	Confirmed → In Progress

Revision history for this message

magilus (magilus) wrote on 2007-03-23:

#5

security diff for feisty Edit (1.7 KiB, text/plain)

diff attached, please apply.

Changed in phpmyadmin:
assignee:	pirast → nobody
status:	In Progress → Confirmed

Revision history for this message

Kees Cook (kees) wrote on 2007-03-24:

#6

Thanks! I've uploaded this.

Changed in phpmyadmin:
importance:	Undecided → High
status:	Confirmed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

security diff for feisty Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.