Your message dated Wed, 23 Nov 2005 07:17:13 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#340438: fixed in phpmyadmin 4:2.6.4-pl4-2 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 23 Nov 2005 13:32:04 +0000 >From [EMAIL PROTECTED] Wed Nov 23 05:32:04 2005 Return-path: <[EMAIL PROTECTED]> Received: from lars.internetia.pl ([195.114.173.133]) by spohr.debian.org with esmtp (Exim 4.50) id 1EeujE-0003jX-GE for [EMAIL PROTECTED]; Wed, 23 Nov 2005 05:32:04 -0800 Received: from szafir.internetia.pl ([212.106.7.66.28034]) by lars.internetia.pl with esmtp (Exim 3.35) envelope-from <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]> id 1Eeuii-0007oF-00; Wed, 23 Nov 2005 14:31:32 +0100 Received: from wlnet-host-250.wlnet.com.pl ([80.72.34.250.18469] helo=ginsan) by szafir.internetia.pl with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35) envelope-from <[EMAIL PROTECTED]> for <[EMAIL PROTECTED]> id 1EeuiS-0004AX-00; Wed, 23 Nov 2005 14:31:16 +0100 From: Piotr Roszatycki <[EMAIL PROTECTED]> Subject: CVE-2005-3665: Cross-site scripting by trusting potentially user-supplied input. Date: Wed, 23 Nov 2005 14:30:08 +0100 User-Agent: KMail/1.8.3 Cc: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_h7GhDSMDK4U0Xhk" To: Undisclosed.Recipients: ; Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 --Boundary-00=_h7GhDSMDK4U0Xhk Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Package: phpmyadmin Version: 4:2.6.2-3sarge1, 4:2.6.4-pl4-1 Severity: critical The patch by Martin Schulze in attachment. -- .''`. Piotr Roszatycki, Netia SA : :' : mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `- --Boundary-00=_h7GhDSMDK4U0Xhk Content-Type: text/x-diff; charset="us-ascii"; name="105.CVE-2005-3665.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="105.CVE-2005-3665.patch" Cross-site scripting by trusting potentially user-supplied input. diff -u -p -Nr --exclude CVS phpmyadmin-2.6.2.orig/libraries/header_meta_style.inc.php phpmyadmin-2.6.2/libraries/header_meta_style.inc.php --- phpmyadmin-2.6.2.orig/libraries/header_meta_style.inc.php 2005-03-07 00:23:46.000000000 +0100 +++ phpmyadmin-2.6.2/libraries/header_meta_style.inc.php 2005-11-18 07:08:56.000000000 +0100 @@ -2,6 +2,10 @@ /* $Id: header_meta_style.inc.php,v 2.3 2005/03/06 23:23:46 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: +if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) { + die("GLOBALS overwrite attempt"); +} + /** * Sends the beginning of the html page then returns to the calling script */ diff -u -p -Nr --exclude CVS phpmyadmin-2.6.2.orig/libraries/header_http.inc.php phpmyadmin-2.6.2/libraries/header_http.inc.php --- phpmyadmin-2.6.2.orig/libraries/header_http.inc.php 2004-04-27 14:36:11.000000000 +0200 +++ phpmyadmin-2.6.2/libraries/header_http.inc.php 2005-11-18 22:06:46.000000000 +0100 @@ -2,6 +2,10 @@ /* $Id: header_http.inc.php,v 2.1 2004/04/27 12:36:11 nijel Exp $ */ // vim: expandtab sw=4 ts=4 sts=4: +if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) { + die("GLOBALS overwrite attempt"); +} + /** * Sends http headers */ --Boundary-00=_h7GhDSMDK4U0Xhk-- --------------------------------------- Received: (at 340438-close) by bugs.debian.org; 23 Nov 2005 15:21:25 +0000 >From [EMAIL PROTECTED] Wed Nov 23 07:21:25 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 4.50) id 1EewMz-0000sn-F3; Wed, 23 Nov 2005 07:17:13 -0800 From: Piotr Roszatycki <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#340438: fixed in phpmyadmin 4:2.6.4-pl4-2 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Wed, 23 Nov 2005 07:17:13 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: phpmyadmin Source-Version: 4:2.6.4-pl4-2 We believe that the bug you reported is fixed in the latest version of phpmyadmin, which is due to be installed in the Debian FTP archive: phpmyadmin_2.6.4-pl4-2.diff.gz to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.diff.gz phpmyadmin_2.6.4-pl4-2.dsc to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.dsc phpmyadmin_2.6.4-pl4-2_all.deb to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Piotr Roszatycki <[EMAIL PROTECTED]> (supplier of updated phpmyadmin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 23 Nov 2005 14:31:15 +0100 Source: phpmyadmin Binary: phpmyadmin Architecture: source all Version: 4:2.6.4-pl4-2 Distribution: unstable Urgency: high Maintainer: Piotr Roszatycki <[EMAIL PROTECTED]> Changed-By: Piotr Roszatycki <[EMAIL PROTECTED]> Description: phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW Closes: 340438 Changes: phpmyadmin (4:2.6.4-pl4-2) unstable; urgency=high . * Security fix: Cross-site scripting by trusting potentially user-supplied input. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3665 New 200-CVE-2005-3665.patch. Closes: #340438. Files: f50724af5d1d1a94e4c59cde254bb29d 646 web extra phpmyadmin_2.6.4-pl4-2.dsc dee08e0b184a51ddbf56957768ea614d 32276 web extra phpmyadmin_2.6.4-pl4-2.diff.gz 9c111a6f12bfd7b3dcaba01442714f7c 2900452 web extra phpmyadmin_2.6.4-pl4-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQFDhHXshMHHe8CxClsRAgG8AJ9NDBKuy4+YxboG+4J3QgYk5PxirACgvKuJ zMyDIO5g/oE0YohLy6CqYIk= =+uRG -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]