-
phpmyadmin (4:4.6.6-4) unstable; urgency=medium
* Build depend on locales-all to ensure en_US.UTF-8 is available (see
#859219).
-- Michal Čihař <email address hidden> Fri, 07 Apr 2017 16:54:26 +0200
-
phpmyadmin (4:4.6.6-3) unstable; urgency=medium
* Set locales for tests to avoid problems with transliteration in glibc for
C.UTF-8 (Closes: #859219).
-- Michal Čihař <email address hidden> Tue, 04 Apr 2017 15:19:53 +0200
-
phpmyadmin (4:4.6.6-2) unstable; urgency=high
* Apply upstream patch to fix not working
$cfg['Servers'][$i]['AllowNoPassword'] (PMASA-2017-8).
-- Michal Čihař <email address hidden> Thu, 30 Mar 2017 14:40:46 +0200
-
phpmyadmin (4:4.6.6-1) unstable; urgency=medium
* New upstream release.
- Multiple vulnerabilities in setup script (PMASA-2016-44).
- Open redirect (PMASA-2017-1).
- php-gettext code execution (PMASA-2017-2, CVE-2015-8980).
- DOS vulnerabiltiy in table editing (PMASA-2017-3).
- CSS injection in themes (PMASA-2017-4).
- Cookie attribute injection attack (PMASA-2017-5).
- SSRF in replication (PMASA-2017-6).
- DOS in replication status (PMASA-2017-7).
-- Michal Čihař <email address hidden> Tue, 24 Jan 2017 09:14:39 +0100
-
phpmyadmin (4:4.6.5.2-1) unstable; urgency=medium
* New upstream release.
* Remove allow_url_fopen setting, recommend php-curl as that's better way to
support ReCaptcha or similar plugins.
* Simplify dependency on php-gettext.
* Properly work with both php-gettext and php-php-gettext packages as each
of them installs library to different path.
* Run testsuite during build, this includes dozen of upstream fixes for it.
-- Michal Čihař <email address hidden> Tue, 06 Dec 2016 10:48:29 +0100
-
phpmyadmin (4:4.6.5.1-1) unstable; urgency=high
* New upstream release, fixing several security issues:
- Unsafe generation of $cfg['blowfish_secret']
(PMASA-2016-58)
- phpMyAdmin's phpinfo functionality is removed
(PMASA-2016-59)
- AllowRoot and allow/deny rule bypass with specially-crafted username
(PMASA-2016-60)
- Username matching weaknesses with allow/deny rules
(PMASA-2016-61)
- Possible to bypass logout timeout
(PMASA-2016-62)
- Full path disclosure (FPD) weaknesses
(PMASA-2016-63)
- Multiple XSS weaknesses
(PMASA-2016-64)
- Multiple denial-of-service (DOS) vulnerabilities
(PMASA-2016-65)
- Possible to bypass white-list protection for URL redirection
(PMASA-2016-66)
- BBCode injection to login page
(PMASA-2016-67)
- Denial-of-service (DOS) vulnerability in table partitioning
(PMASA-2016-68)
- Multiple SQL injection vulnerabilities
(PMASA-2016-69)
- Incorrect serialized string parsing
(PMASA-2016-70)
- CSRF token not stripped from the URL
(PMASA-2016-71)
-- Michal Čihař <email address hidden> Mon, 28 Nov 2016 10:22:19 +0100
-
phpmyadmin (4:4.6.4+dfsg1-2) unstable; urgency=medium
* Change suggests to prefer default-mysql-server.
* Depend on php-php-gettext as the package has been renamed
(Closes: #837507).
* Deny direct access to template files.
* Use HTTPS in the Vcs-* fields, and use the cgit frontend instead of
gitweb
* Use current email address in debian/doc-base and debian/copyright.
* Remove obsolete PHP settings from Apache configuration.
* Disable mbstring.func_overload in Apache configuration.
* Added Korean debconf translation.
* Updated Polish debconf translation.
* Fix path to php-gettext library (Closes: #839923).
-- Michal Čihař <email address hidden> Fri, 18 Nov 2016 18:14:21 +0100
-
phpmyadmin (4:4.6.4+dfsg1-1) unstable; urgency=high
* Repacked sources to exclude non free sRGB profile.
* Replace FollowSymLinks with SymLinksIfOwnerMatch to apache configuration.
* Updated Chinese debconf translations.
* Better generate blowfish_secret.
* New upstream release, fixing several security issues:
- Weaknesses with cookie encryption
(PMASA-2016-29, CVE-2016-6606)
- Multiple XSS vulnerabilities
(PMASA-2016-30, CVE-2016-6607)
- Multiple XSS vulnerabilities
(PMASA-2016-31, CVE-2016-6608)
- PHP code injection
(PMASA-2016-32, CVE-2016-6609)
- Full path disclosure
(PMASA-2016-33, CVE-2016-6610)
- SQL injection attack
(PMASA-2016-34, CVE-2016-6611)
- Local file exposure through LOAD DATA LOCAL INFILE
(PMASA-2016-35, CVE-2016-6612)
- Local file exposure through symlinks with UploadDir
(PMASA-2016-36, CVE-2016-6613)
- Path traversal with SaveDir and UploadDir
(PMASA-2016-37, CVE-2016-6614)
- Multiple XSS vulnerabilities
(PMASA-2016-38, CVE-2016-6615)
- SQL injection vulnerability as control user
(PMASA-2016-39, CVE-2016-6616)
- SQL injection vulnerability
(PMASA-2016-40, CVE-2016-6617)
- Denial-of-service attack through transformation feature
(PMASA-2016-41, CVE-2016-6618)
- SQL injection vulnerability as control user
(PMASA-2016-42, CVE-2016-6619)
- Verify data before unserializing
(PMASA-2016-43, CVE-2016-6620)
- SSRF in setup script
(PMASA-2016-44, CVE-2016-6621)
- Denial-of-service attack with $cfg['AllowArbitraryServer'] = true and
persistent connections
(PMASA-2016-45, CVE-2016-6622)
- Denial-of-service attack by using for loops
(PMASA-2016-46, CVE-2016-6623)
- Possible circumvention of IP-based allow/deny rules with IPv6 and proxy
server
(PMASA-2016-47, CVE-2016-6624)
- Detect if user is logged in
(PMASA-2016-48, CVE-2016-6625)
- Bypass URL redirection protection
(PMASA-2016-49, CVE-2016-6626)
- Referrer leak
(PMASA-2016-50, CVE-2016-6627)
- Reflected File Download
(PMASA-2016-51, CVE-2016-6628)
- ArbitraryServerRegexp bypass
(PMASA-2016-52, CVE-2016-6629)
- Denial-of-service attack by entering long password
(PMASA-2016-53, CVE-2016-6630)
- Remote code execution vulnerability when running as CGI
(PMASA-2016-54, CVE-2016-6631)
- Denial-of-service attack when PHP uses dbase extension
(PMASA-2016-55, CVE-2016-6632)
- Remove tode execution vulnerability when PHP uses dbase extension
(PMASA-2016-56, CVE-2016-6633)
-- Michal Čihař <email address hidden> Wed, 17 Aug 2016 10:05:21 +0200
