Publishing details

Published on 2020-11-19
Copied from ubuntu bionic in PPA for Ubuntu Security Proposed by Mike Salvatore

Changelog

phpmyadmin (4:4.6.6-5ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting (XSS)
    - debian/patches/CVE-2020-26934.patch: make sure where_clause is not
      modified
    - debian/patches/fix-tests-for-CVE-2020-26934-and-CVE-2020-26935.patch:
      Fix failing tests
    - debian/patches/CVE-2018-7260.patch: Fix XSS vulnerability in central
      columns feature
    - debian/patches/CVE-2018-19970.patch: Fix stored Cross-Site Scripting
      (XSS) in navigation tree.
    - CVE-2020-26934
    - CVE-2018-7260
    - CVE-2018-19970
  * SECURITY UPDATE: Cross-site request forgery (CSRF)
    - debian/patches/CVE-2019-12616.patch: Retrieve parameters from $_POST
      in AuthenticationCookie.
    - debian/patches/fix-tests-for-CVE-2019-12616.patch: Fix tests for
      CVE-2019-12616
  * SECURITY UPDATE: SQL Injection
    - debian/patches/CVE-2020-26935.patch: Check where clause signature in
      TableSearchController
    - debian/patches/CVE-2019-6798.patch: SQL injection in Designer
    - debian/patches/CVE-2019-11768.patch: Fix escape database name when
      saving page on designer.
    - debian/patches/CVE-2020-5504.patch: escape username in the query
    - debian/patches/CVE-2020-10804: escape username, password, and hostname
    - debian/patches/CVE-2020-10802: Use Util::backquote in getDataRowAction
    - debian/patches/CVE-2020-10803: Add where_clause check in
      tbl_get_field.php
    - debian/patches/fix-tests-for-CVE-2020-10803.patch: Fix
      Display/ResultsTest errors
    - CVE-2020-26935
    - CVE-2019-6798
    - CVE-2019-11768
    - CVE-2020-5504
    - CVE-2020-10804
    - CVE-2020-10802
    - CVE-2020-10803
  * SECURITY UPDATE: Sensitive information exposure
    - debian/patches/CVE-2018-19968.patch: Remove transform plugin includes
    - debian/patches/CVE-2019-6799.patch: Prevent arbitrary file read by
      the webserver
    - CVE-2018-19968
    - CVE-2019-6799
  * FTBFS: PHPUnit namespace discrepancy
    - debian/patches/fix-tests-bionic.patch: The version of PHPUnit packaged
      with bionic is not compatible with these unit tests. Some minor namespace
      tweaks were needed in order to get the test suite to run. One test case
      provided by rulesProvider for testAddRules() was disabled.

 -- Mike Salvatore <email address hidden>  Tue, 17 Nov 2020 19:16:01 -0500

Available diffs

diff from 4:4.6.6-5ubuntu0.4 to 4:4.6.6-5ubuntu0.5 (660 bytes)

Builds

amd64

Built packages

phpmyadmin MySQL web administration tool

Package files

phpmyadmin_4.6.6-5ubuntu0.5.debian.tar.xz (94.9 KiB)
phpmyadmin_4.6.6-5ubuntu0.5.dsc (2.2 KiB)
phpmyadmin_4.6.6-5ubuntu0.5_all.deb (3.7 MiB)
phpmyadmin_4.6.6.orig.tar.xz (5.9 MiB)