Bug#813095: phpmyadmin: php-seclib dependency broken in 4.5.4-1

Fri, 29 Jan 2016 06:18:38 -0800 

Package: phpmyadmin
Version: 4:4.5.4-1
Severity: grave
Justification: renders package unusable

Dear Maintainer,

phpMyAdmin as of version 4.5.4-1 uses php-seclib's Crypt\Random API (as per
CVE's listed in the package changelog).

Unfortunately, there are two problems with Crypt\Random working out of the
box for the package:

 * PHPSECLIB_INC_DIR is not included in the open_basedir directive in
/etc/phpymadmin/apache.conf configuration file

 * php-seclib present in sid at the moment is the 1.x version of the library
phpmyadmin uses the object-oriented version 2.x of the library, at the
moment present in experimental only (without marking in it correctly in
package dependencies)

Note that php-seclib 2.x from experimental uses /usr/share/php/phpseclib/
path and that should be set as PHPSECLIB_INC_DIR.

Fixing PHPSECLIB_INC_DIR in
/usr/share/phpmyadmin/libraries/vendor_config.php, open_basedir in
/etc/phpmyadmin/apache2.conf and installing php-seclib 2.0.1-1 from
experimental fixes the issue and makes phpmyadmin usable again.

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 4.3.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages phpmyadmin depends on:
ii  dbconfig-common        2.0.2
ii  dbconfig-mysql         2.0.2
ii  debconf [debconf-2.0]  1.5.58
ii  libapache2-mod-php5    5.6.17+dfsg-3
ii  libjs-sphinxdoc        1.3.5-1
ii  perl                   5.22.1-4
ii  php-gettext            1.0.11-2
ii  php-seclib             2.0.1-1
ii  php5                   5.6.17+dfsg-3
ii  php5-common            5.6.17+dfsg-3
ii  php5-json              1.3.7-1
ii  php5-mysql             5.6.17+dfsg-3
ii  ucf                    3.0033

Versions of packages phpmyadmin recommends:
ii  apache2 [httpd]                          2.4.18-1
ii  mysql-client                             5.6.28-1
ii  mysql-client-5.6 [virtual-mysql-client]  5.6.28-1
ii  nginx-light [httpd]                      1.9.10-1
ii  php-tcpdf                                6.0.093+dfsg-1
ii  php5-gd                                  5.6.17+dfsg-3

Versions of packages phpmyadmin suggests:
ii  elinks [www-browser]                     0.12~pre6-11+b2
ii  mysql-server-5.6 [virtual-mysql-server]  5.6.28-1
ii  w3m [www-browser]                        0.5.3-26

-- Configuration Files:
/etc/phpmyadmin/apache.conf changed [not included]

-- debconf information excluded

Reply via email to