phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues
On Wed, 06 Nov 2019 11:50:51 +0000 "Adam D. Barratt" <
a...@adam-barratt.org.uk> wrote:
> Control: tags -1 + moreinfo
>
> On 2019-11-06 11:23, Felipe Sateler wrote:
> > This update fixes several security issues, plus an important bug.
> > Additionally we fix the metadata reflecting the maintainership
change.
> >
> > Here is the changelog, with debdiff attached.
> >
> > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
> >
> > [ Matthias Blümel ]
> > * Several security fixes
> > - Cross-site scripting (XSS) vulnerability in
> > db_central_columns.php
> > (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
> > - Remove transformation plugin includes
> > (PMASA-2018-6, CVE-2018-19968)
> > - Fix Stored Cross-Site Scripting (XSS) in navigation tree
> > (PMASA-2018-8, CVE-2018-19970)
> > - Fix information leak (arbitrary file read) using SQL queries
> > (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
> > - a specially crafted username can be used to trigger a SQL
> > injection attack
> > (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
> > - SQL injection in Designer feature
> > (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
> > - CSRF vulnerability in login form
> > (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
>
> According to the BTS and Security Tracker, at least some of these
issues
> affect the package in unstable and aren't currently fixed there. Is
that
> correct?
>
> Regards,
>
> Adam
>
>