phpMyAdmin

phpMyAdmin 4.9.5

Milestone information

Project:: phpMyAdmin

Series:: 4.9

Version:: 4.9.5

Released:: 2020-03-20

Registrant:: William Desportes

Release registered:: 2020-03-26

Active:: No. Drivers cannot target bugs and blueprints to this milestone.

Download RDF metadata

Activities

Assigned to you:: No blueprints or bugs assigned to you.

Assignees:: No users assigned to blueprints and bugs.

Blueprints:: No blueprints are targeted to this milestone.

Bugs:: No bugs are targeted to this milestone.

Download files for this release

Release notes

Hello,

The phpMyAdmin team announces the release of both 4.9.5 and 5.0.2.

Both versions contain several security fixes:

PMASA-2020-2 SQL injection vulnerability in the user accounts page, particularly when changing a password
PMASA-2020-3 SQL injection vulnerability relating to the search feature
PMASA-2020-4 SQL injection and XSS having to do with displaying results
Removing of the "options" field for the external transformation.
We are removing the ability for users to set "options" field for the external transformation. This must now be hard coded in the plugin file directly (where the program is configured). This feature allows users to pipe output directly to an executable file, however the options field presented a security risk and we have decided to move the options to be hard coded in the transformation plugin file. For further assistance, please reach out to our support team through email or Github pull request.

Version 5.0.3 also contains many bug fixes:

Fix for copying a user account
Removed SET AUTOCOMMIT=0 from SQL export
Fix for the display of table borders
Fix for ENUM radio button user interface problems
Improved the prompt for abandoning changes when no changes were made in the SQL window
Fix for inserting a primary key with "insert as new row"
Fix incorrect suggested latest available version to version 5
There are many other bugs fixes, please see the ChangeLog file included with this release for full details.

Known shortcomings:

Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.

As a reminder, phpMyAdmin 4.9 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.

Downloads are available now at https://phpmyadmin.net/downloads/

For the phpMyAdmin team, Isaac

Changelog

View the full changelog

- issue [security] Fix SQL injection with certain usernames (PMASA-2020-2)
- issue [security] Fix SQL injection in particular search situations (PMASA-2020-3)
- issue [security] Fix SQL injection and XSS flaw (PMASA-2020-4)
- issue Deprecate "options" for the external transformation; options must now be hard-coded along with the program name directly in the file.

0 blueprints and 0 bugs targeted

There are no feature specifications or bug tasks targeted to this milestone. The project's maintainer, driver, or bug supervisor can target specifications and bug tasks to this milestone to track the things that are expected to be completed for the release.

Related milestones and releases

This milestone contains Public information

Everyone can see this information.