Your message dated Wed, 23 Nov 2005 07:17:13 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#340438: fixed in phpmyadmin 4:2.6.4-pl4-2
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Nov 2005 13:32:04 +0000
>From [EMAIL PROTECTED] Wed Nov 23 05:32:04 2005
Return-path: <[EMAIL PROTECTED]>
Received: from lars.internetia.pl ([195.114.173.133])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EeujE-0003jX-GE
for [EMAIL PROTECTED]; Wed, 23 Nov 2005 05:32:04 -0800
Received: from szafir.internetia.pl ([212.106.7.66.28034])
by lars.internetia.pl with esmtp (Exim 3.35)
envelope-from <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>
id 1Eeuii-0007oF-00; Wed, 23 Nov 2005 14:31:32 +0100
Received: from wlnet-host-250.wlnet.com.pl ([80.72.34.250.18469] helo=ginsan)
by szafir.internetia.pl with esmtp (TLSv1:RC4-MD5:128) (Exim 3.35)
envelope-from <[EMAIL PROTECTED]>
for <[EMAIL PROTECTED]>
id 1EeuiS-0004AX-00; Wed, 23 Nov 2005 14:31:16 +0100
From: Piotr Roszatycki <[EMAIL PROTECTED]>
Subject: CVE-2005-3665: Cross-site scripting by trusting potentially
user-supplied input.
Date: Wed, 23 Nov 2005 14:30:08 +0100
User-Agent: KMail/1.8.3
Cc: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: Multipart/Mixed;
boundary="Boundary-00=_h7GhDSMDK4U0Xhk"
To: Undisclosed.Recipients: ;
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--Boundary-00=_h7GhDSMDK4U0Xhk
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Package: phpmyadmin
Version: 4:2.6.2-3sarge1, 4:2.6.4-pl4-1
Severity: critical
The patch by Martin Schulze in attachment.
--
.''`. Piotr Roszatycki, Netia SA
: :' : mailto:[EMAIL PROTECTED]
`. `' mailto:[EMAIL PROTECTED]
`-
--Boundary-00=_h7GhDSMDK4U0Xhk
Content-Type: text/x-diff;
charset="us-ascii";
name="105.CVE-2005-3665.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="105.CVE-2005-3665.patch"
Cross-site scripting by trusting potentially user-supplied input.
diff -u -p -Nr --exclude CVS
phpmyadmin-2.6.2.orig/libraries/header_meta_style.inc.php
phpmyadmin-2.6.2/libraries/header_meta_style.inc.php
--- phpmyadmin-2.6.2.orig/libraries/header_meta_style.inc.php 2005-03-07
00:23:46.000000000 +0100
+++ phpmyadmin-2.6.2/libraries/header_meta_style.inc.php 2005-11-18
07:08:56.000000000 +0100
@@ -2,6 +2,10 @@
/* $Id: header_meta_style.inc.php,v 2.3 2005/03/06 23:23:46 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
+if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
+ die("GLOBALS overwrite attempt");
+}
+
/**
* Sends the beginning of the html page then returns to the calling script
*/
diff -u -p -Nr --exclude CVS
phpmyadmin-2.6.2.orig/libraries/header_http.inc.php
phpmyadmin-2.6.2/libraries/header_http.inc.php
--- phpmyadmin-2.6.2.orig/libraries/header_http.inc.php 2004-04-27
14:36:11.000000000 +0200
+++ phpmyadmin-2.6.2/libraries/header_http.inc.php 2005-11-18
22:06:46.000000000 +0100
@@ -2,6 +2,10 @@
/* $Id: header_http.inc.php,v 2.1 2004/04/27 12:36:11 nijel Exp $ */
// vim: expandtab sw=4 ts=4 sts=4:
+if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
+ die("GLOBALS overwrite attempt");
+}
+
/**
* Sends http headers
*/
--Boundary-00=_h7GhDSMDK4U0Xhk--
---------------------------------------
Received: (at 340438-close) by bugs.debian.org; 23 Nov 2005 15:21:25 +0000
>From [EMAIL PROTECTED] Wed Nov 23 07:21:25 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EewMz-0000sn-F3; Wed, 23 Nov 2005 07:17:13 -0800
From: Piotr Roszatycki <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#340438: fixed in phpmyadmin 4:2.6.4-pl4-2
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Wed, 23 Nov 2005 07:17:13 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: phpmyadmin
Source-Version: 4:2.6.4-pl4-2
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.6.4-pl4-2.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.diff.gz
phpmyadmin_2.6.4-pl4-2.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2.dsc
phpmyadmin_2.6.4-pl4-2_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl4-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Roszatycki <[EMAIL PROTECTED]> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 Nov 2005 14:31:15 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl4-2
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <[EMAIL PROTECTED]>
Changed-By: Piotr Roszatycki <[EMAIL PROTECTED]>
Description:
phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 340438
Changes:
phpmyadmin (4:2.6.4-pl4-2) unstable; urgency=high
.
* Security fix: Cross-site scripting by trusting potentially user-supplied
input.
See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3665
New 200-CVE-2005-3665.patch. Closes: #340438.
Files:
f50724af5d1d1a94e4c59cde254bb29d 646 web extra phpmyadmin_2.6.4-pl4-2.dsc
dee08e0b184a51ddbf56957768ea614d 32276 web extra phpmyadmin_2.6.4-pl4-2.diff.gz
9c111a6f12bfd7b3dcaba01442714f7c 2900452 web extra
phpmyadmin_2.6.4-pl4-2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDhHXshMHHe8CxClsRAgG8AJ9NDBKuy4+YxboG+4J3QgYk5PxirACgvKuJ
zMyDIO5g/oE0YohLy6CqYIk=
=+uRG
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
