On Wed, Nov 6, 2019 at 8:51 AM Adam D. Barratt <a...@adam-barratt.org.uk> wrote:
> Control: tags -1 + moreinfo > > On 2019-11-06 11:23, Felipe Sateler wrote: > > This update fixes several security issues, plus an important bug. > > Additionally we fix the metadata reflecting the maintainership change. > > > > Here is the changelog, with debdiff attached. > > > > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium > > > > [ Matthias Blümel ] > > * Several security fixes > > - Cross-site scripting (XSS) vulnerability in > > db_central_columns.php > > (PMASA-2018-1, CVE-2018-7260, Closes: #893539) > > - Remove transformation plugin includes > > (PMASA-2018-6, CVE-2018-19968) > > - Fix Stored Cross-Site Scripting (XSS) in navigation tree > > (PMASA-2018-8, CVE-2018-19970) > > - Fix information leak (arbitrary file read) using SQL queries > > (PMASA-2019-1, CVE-2019-6799, Closes: #920823) > > - a specially crafted username can be used to trigger a SQL > > injection attack > > (PMASA-2019-2, CVE-2019-6798, Closes: #920822) > > - SQL injection in Designer feature > > (PMASA-2019-3, CVE-2019-11768, Closes: #930048) > > - CSRF vulnerability in login form > > (PMASA-2019-4, CVE-2019-12616, Closes: #930017) > > According to the BTS and Security Tracker, at least some of these issues > affect the package in unstable and aren't currently fixed there. Is that > correct? > Yes, it is correct. This is because in unstable we are aiming for version 4.9, but we are waiting on some NEW packages for that upload to happen. -- Saludos, Felipe Sateler
