Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:Factory checked in at 2013-07-30 16:47:15 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/phpMyAdmin (Old) and /work/SRC/openSUSE:Factory/.phpMyAdmin.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "phpMyAdmin" Changes: -------- --- /work/SRC/openSUSE:Factory/phpMyAdmin/phpMyAdmin.changes 2013-07-07 22:21:53.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.phpMyAdmin.new/phpMyAdmin.changes 2013-07-30 16:47:16.000000000 +0200 @@ -1,0 +2,22 @@ +Mon Jul 29 20:07:45 UTC 2013 - ch...@computersalat.de + +- fix for bnc#831896 + * multiple XSS issues (+ a SQL injection and full path disclosure flaw) + * fix for PMASA-2013-9 (CWE-661 CWE-79 CWE-80) + * fix for PMASA-2013-11 (CWE-300 CWE-79) + * fix for PMASA-2013-12 (CWE-661 CWE-200) + * fix for PMASA-2013-13 (CWE-661 CWE-79 CWE-80) + * fix for PMASA-2013-14 (CWE-661 CWE-79) + * fix for PMASA-2013-15 (CWE-661 CWE-89 CWE-269) +- update to 4.0.4.2 (2013-07-28) + * [security] Fix stored XSS in Server status monitor, see PMASA-2013-9 + * [security] Fix stored XSS in navigation panel logo link, see PMASA-2013-9 + * [security] Fix self-XSS in setup, trusted proxies validation, see PMASA-2013-9 + * [security] Fix full path disclosure, see PMASA-2013-12 + * [security] Fix control user SQL injection in pmd_pdf.php, see PMASA-2013-15 + * [security] Fix control user SQL injection in schema_export.php, see PMASA-2013-15 + * [security] Fix self-XSS in schema export, see PMASA-2013-14 + * [security] Fix unencoded json object, see PMASA-2013-11 + * [security] Fix stored XSS in link transformation plugin, see PMASA-2013-13 + +------------------------------------------------------------------- Old: ---- phpMyAdmin-4.0.4.1-all-languages.tar.bz2 New: ---- phpMyAdmin-4.0.4.2-all-languages.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.vRoDOk/_old 2013-07-30 16:47:17.000000000 +0200 +++ /var/tmp/diff_new_pack.vRoDOk/_new 2013-07-30 16:47:17.000000000 +0200 @@ -34,7 +34,7 @@ Summary: Administration of MySQL over the web License: GPL-2.0+ Group: Productivity/Networking/Web/Frontends -Version: 4.0.4.1 +Version: 4.0.4.2 Release: 0 Url: http://www.phpMyAdmin.net Source0: %{name}-%{version}-all-languages.tar.bz2 @@ -104,8 +104,6 @@ find . -type d -exec chmod 755 {} \; find . -type f -exec chmod 644 {} \; find . -type f -name '*.orig' -exec rm {} \; -#rm lang/*.sh -%{__rm} libraries/.htaccess %build ++++++ phpMyAdmin-4.0.4.1-all-languages.tar.bz2 -> phpMyAdmin-4.0.4.2-all-languages.tar.bz2 ++++++ ++++ 11935 lines of diff (skipped) ++++++ phpMyAdmin-config.patch ++++++ --- /var/tmp/diff_new_pack.vRoDOk/_old 2013-07-30 16:47:19.000000000 +0200 +++ /var/tmp/diff_new_pack.vRoDOk/_new 2013-07-30 16:47:19.000000000 +0200 @@ -1,5 +1,7 @@ ---- config.sample.inc.php.orig 2013-05-03 14:16:36.000000000 +0200 -+++ config.sample.inc.php 2013-05-03 20:13:46.549034257 +0200 +Index: config.sample.inc.php +=================================================================== +--- config.sample.inc.php.orig ++++ config.sample.inc.php @@ -11,10 +11,51 @@ */ @@ -22,20 +24,20 @@ + * $cfg['PmaAbsoluteUri_DisableWarning'] variable below. + */ +$cfg['PmaAbsoluteUri'] = ''; -+ ++ +/* * This is needed for cookie based authentication to encrypt password in * cookie + * YOU MUST FILL IN THIS FOR COOKIE AUTH! - */ --$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ ++ */ +$cfg['blowfish_secret'] = ''; + +/* + * Disable the default warning about $cfg['PmaAbsoluteUri'] not being set + * You should use this if and ONLY if the PmaAbsoluteUri auto-detection + * works perfectly. -+ */ + */ +-$cfg['blowfish_secret'] = 'a8b7c6d'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ +$cfg['PmaAbsoluteUri_DisableWarning'] = false; + +/* @@ -133,30 +135,12 @@ * phpMyAdmin configuration storage settings. */ +$cfg['Servers'][$i]['controlhost'] = ''; - --/* User used to manipulate with storage */ --// $cfg['Servers'][$i]['controlhost'] = ''; --// $cfg['Servers'][$i]['controluser'] = 'pma'; --// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; ++ +// MySQL control user settings (this user must have read-only +// access to the "mysql/user" and "mysql/db" tables). +// The controluser is also used for all relational features (pmadb) +$cfg['Servers'][$i]['controluser'] = ''; - --/* Storage database and tables */ --// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; --// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; --// $cfg['Servers'][$i]['relation'] = 'pma__relation'; --// $cfg['Servers'][$i]['table_info'] = 'pma__table_info'; --// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords'; --// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages'; --// $cfg['Servers'][$i]['column_info'] = 'pma__column_info'; --// $cfg['Servers'][$i]['history'] = 'pma__history'; --// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs'; --// $cfg['Servers'][$i]['tracking'] = 'pma__tracking'; --// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords'; --// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig'; --// $cfg['Servers'][$i]['recent'] = 'pma__recent'; ++ +// The password needed for the controluser to login +// (see $cfg['Servers'][$i]['controluser']) +$cfg['Servers'][$i]['controlpass'] = ''; @@ -235,7 +219,26 @@ +// used tables, but it will disappear after you logout. +// DEFAULT: 'pma_recent' +$cfg['Servers'][$i]['recent'] = 'pma_recent'; -+ + +-/* User used to manipulate with storage */ +-// $cfg['Servers'][$i]['controlhost'] = ''; +-// $cfg['Servers'][$i]['controluser'] = 'pma'; +-// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; +- +-/* Storage database and tables */ +-// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; +-// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; +-// $cfg['Servers'][$i]['relation'] = 'pma__relation'; +-// $cfg['Servers'][$i]['table_info'] = 'pma__table_info'; +-// $cfg['Servers'][$i]['table_coords'] = 'pma__table_coords'; +-// $cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages'; +-// $cfg['Servers'][$i]['column_info'] = 'pma__column_info'; +-// $cfg['Servers'][$i]['history'] = 'pma__history'; +-// $cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs'; +-// $cfg['Servers'][$i]['tracking'] = 'pma__tracking'; +-// $cfg['Servers'][$i]['designer_coords'] = 'pma__designer_coords'; +-// $cfg['Servers'][$i]['userconfig'] = 'pma__userconfig'; +-// $cfg['Servers'][$i]['recent'] = 'pma__recent'; /* Contrib / Swekey authentication */ -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; +// The name of the file containing Swekey ids and login names for @@ -276,7 +279,7 @@ /* + * phpMyAdmin configuration storage settings. + */ -+ ++ +/* +$cfg['Servers'][$i]['controlhost'] = ''; +$cfg['Servers'][$i]['controluser'] = ''; @@ -312,8 +315,10 @@ * End of servers configuration */ ---- libraries/vendor_config.php.orig 2013-05-03 14:16:36.000000000 +0200 -+++ libraries/vendor_config.php 2013-05-03 19:57:54.344938439 +0200 +Index: libraries/vendor_config.php +=================================================================== +--- libraries/vendor_config.php.orig ++++ libraries/vendor_config.php @@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) { * Path to changelog file, can be gzip compressed. Useful when you want to * have documentation somewhere else, eg. /usr/share/doc. -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
