Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-03-28 Thread Adam D. Barratt
On Sat, 2020-03-28 at 12:10 +0530, Utkarsh Gupta wrote:
> Hi Adam.
> 
> On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt"
>  wrote:
> > Control: tags -1 + confirmed
> > Thanks. Please go ahead.
> 
> For some reason, this upload never happened.
> However, now, the maintainer, William (CCed here) has prepared these
> CVE fixes + some new CVEs on top of this, too.
> All of these CVE(s) have been fixed in unstable (and in Jessie, too).
> 
> Please let me know if we have an ack from your side to upload the fix
> for all the CVEs in Stretch?

As Salvatore noted, the distribution should be "stretch", rather than
"stretch-security". It would also be worth adding "found" versions to
the bugs for the 2020 CVEs, to make it clearer that the also apply to
the stretch packge.

Other than that, please go ahead.

Regards,

Adam



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-03-28 Thread Salvatore Bonaccorso
Hi,

[disclaimer: not part of sthe SRMers, so this counts not as ack or
nack]

On Sat, Mar 28, 2020 at 12:10:12PM +0530, Utkarsh Gupta wrote:
> Hi Adam.
> 
> On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt"
>  wrote:
> > Control: tags -1 + confirmed
> > Thanks. Please go ahead.
> 
> For some reason, this upload never happened.
> However, now, the maintainer, William (CCed here) has prepared these
> CVE fixes + some new CVEs on top of this, too.
> All of these CVE(s) have been fixed in unstable (and in Jessie, too).
> 
> Please let me know if we have an ack from your side to upload the fix
> for all the CVEs in Stretch?
> 
> Attaching the debdiff.

The target distribution should be 'stretch' for the stretch-pu upload.

Regards,
Salvatore



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-03-28 Thread Utkarsh Gupta
Hi Adam.

On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt"
 wrote:
> Control: tags -1 + confirmed
> Thanks. Please go ahead.

For some reason, this upload never happened.
However, now, the maintainer, William (CCed here) has prepared these
CVE fixes + some new CVEs on top of this, too.
All of these CVE(s) have been fixed in unstable (and in Jessie, too).

Please let me know if we have an ack from your side to upload the fix
for all the CVEs in Stretch?

Attaching the debdiff.


Best,
Utkarsh


debdiff
Description: Binary data


Processed: Re: Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-01-28 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + confirmed
Bug #944228 [release.debian.org] stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Added tag(s) confirmed.

-- 
944228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2020-01-28 Thread Adam D. Barratt

Control: tags -1 + confirmed

On 2019-11-12 01:24, Matthias Blümel wrote:

phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues


Thanks. Please go ahead.

Regards,

Adam



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2019-11-11 Thread Matthias Blümel
phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues

On Wed, 06 Nov 2019 11:50:51 + "Adam D. Barratt" <
a...@adam-barratt.org.uk> wrote:
> Control: tags -1 + moreinfo
> 
> On 2019-11-06 11:23, Felipe Sateler wrote:
> > This update fixes several security issues, plus an important bug.
> > Additionally we fix the metadata reflecting the maintainership
change.
> > 
> > Here is the changelog, with debdiff attached.
> > 
> > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
> > 
> >   [ Matthias Blümel ]
> >   * Several security fixes
> > - Cross-site scripting (XSS) vulnerability in 
> > db_central_columns.php
> >   (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
> > - Remove transformation plugin includes
> >   (PMASA-2018-6, CVE-2018-19968)
> > - Fix Stored Cross-Site Scripting (XSS) in navigation tree
> >   (PMASA-2018-8, CVE-2018-19970)
> > - Fix information leak (arbitrary file read) using SQL queries
> >   (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
> > - a specially crafted username can be used to trigger a SQL 
> > injection attack
> >   (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
> > - SQL injection in Designer feature
> >   (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
> > - CSRF vulnerability in login form
> >   (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
> 
> According to the BTS and Security Tracker, at least some of these
issues 
> affect the package in unstable and aren't currently fixed there. Is
that 
> correct?
> 
> Regards,
> 
> Adam
> 
> 



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2019-11-06 Thread Felipe Sateler
On Wed, Nov 6, 2019 at 8:51 AM Adam D. Barratt 
wrote:

> Control: tags -1 + moreinfo
>
> On 2019-11-06 11:23, Felipe Sateler wrote:
> > This update fixes several security issues, plus an important bug.
> > Additionally we fix the metadata reflecting the maintainership change.
> >
> > Here is the changelog, with debdiff attached.
> >
> > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
> >
> >   [ Matthias Blümel ]
> >   * Several security fixes
> > - Cross-site scripting (XSS) vulnerability in
> > db_central_columns.php
> >   (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
> > - Remove transformation plugin includes
> >   (PMASA-2018-6, CVE-2018-19968)
> > - Fix Stored Cross-Site Scripting (XSS) in navigation tree
> >   (PMASA-2018-8, CVE-2018-19970)
> > - Fix information leak (arbitrary file read) using SQL queries
> >   (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
> > - a specially crafted username can be used to trigger a SQL
> > injection attack
> >   (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
> > - SQL injection in Designer feature
> >   (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
> > - CSRF vulnerability in login form
> >   (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
>
> According to the BTS and Security Tracker, at least some of these issues
> affect the package in unstable and aren't currently fixed there. Is that
> correct?
>

Yes, it is correct. This is because in unstable we are aiming for version
4.9, but we are waiting on some NEW packages for that upload to happen.


-- 

Saludos,
Felipe Sateler


Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2019-11-06 Thread Adam D. Barratt

Control: tags -1 + moreinfo

On 2019-11-06 11:23, Felipe Sateler wrote:

This update fixes several security issues, plus an important bug.
Additionally we fix the metadata reflecting the maintainership change.

Here is the changelog, with debdiff attached.

phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium

  [ Matthias Blümel ]
  * Several security fixes
- Cross-site scripting (XSS) vulnerability in 
db_central_columns.php

  (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
- Remove transformation plugin includes
  (PMASA-2018-6, CVE-2018-19968)
- Fix Stored Cross-Site Scripting (XSS) in navigation tree
  (PMASA-2018-8, CVE-2018-19970)
- Fix information leak (arbitrary file read) using SQL queries
  (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
- a specially crafted username can be used to trigger a SQL 
injection attack

  (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
- SQL injection in Designer feature
  (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
- CSRF vulnerability in login form
  (PMASA-2019-4, CVE-2019-12616, Closes: #930017)


According to the BTS and Security Tracker, at least some of these issues 
affect the package in unstable and aren't currently fixed there. Is that 
correct?


Regards,

Adam



Processed: Re: Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2019-11-06 Thread Debian Bug Tracking System
Processing control commands:

> tags -1 + moreinfo
Bug #944228 [release.debian.org] stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Added tag(s) moreinfo.

-- 
944228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944228
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems



Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1

2019-11-06 Thread Felipe Sateler
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian@packages.debian.org
Usertags: pu

This update fixes several security issues, plus an important bug.
Additionally we fix the metadata reflecting the maintainership change.

Here is the changelog, with debdiff attached.

phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium

  [ Matthias Blümel ]
  * Several security fixes
- Cross-site scripting (XSS) vulnerability in db_central_columns.php
  (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
- Remove transformation plugin includes
  (PMASA-2018-6, CVE-2018-19968)
- Fix Stored Cross-Site Scripting (XSS) in navigation tree
  (PMASA-2018-8, CVE-2018-19970)
- Fix information leak (arbitrary file read) using SQL queries
  (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
- a specially crafted username can be used to trigger a SQL injection attack
  (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
- SQL injection in Designer feature
  (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
- CSRF vulnerability in login form
  (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
  * Set Vcs-* to point to salsa
  * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all
your work!

  [ Juri Grabowski ]
  * Fix Vcs- URLs

  [ William Desportes ]
  * Add debian gitlab pipelines config.

  [ Felipe Sateler ]
  * Set phpMyAdmin team as Maintainer

  [ Michal Čihař ]
  * Fix open_basedir setting for PHP 7 (Closes: #867882).

  > This is the non-security fix. THe default config was not updated for
  > changes in the php-gettext path for 7.0.


 -- Felipe Sateler   Wed, 06 Nov 2019 08:12:18 -0300


Thanks for your consideration

-- System Information:
Debian Release: bullseye/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 
'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog
--- phpmyadmin-4.6.6/debian/changelog   2017-04-07 11:54:26.0 -0300
+++ phpmyadmin-4.6.6/debian/changelog   2019-11-06 08:12:18.0 -0300
@@ -1,3 +1,40 @@
+phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium
+
+  [ Matthias Blümel ]
+  * Several security fixes
+- Cross-site scripting (XSS) vulnerability in db_central_columns.php
+  (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
+- Remove transformation plugin includes
+  (PMASA-2018-6, CVE-2018-19968)
+- Fix Stored Cross-Site Scripting (XSS) in navigation tree
+  (PMASA-2018-8, CVE-2018-19970)
+- Fix information leak (arbitrary file read) using SQL queries
+  (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
+- a specially crafted username can be used to trigger a SQL injection 
attack
+  (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
+- SQL injection in Designer feature
+  (PMASA-2019-3, CVE-2019-11768, Closes: #930048)
+- CSRF vulnerability in login form
+  (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
+  * Set Vcs-* to point to salsa
+  * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all
+your work!
+
+  [ Juri Grabowski ]
+  * Fix Vcs- URLs
+
+  [ William Desportes ]
+  * Add debian gitlab pipelines config.
+
+  [ Felipe Sateler ]
+  * Set phpMyAdmin team as Maintainer
+
+  [ Michal Čihař ]
+  * Fix open_basedir setting for PHP 7 (Closes: #867882).
+
+
+ -- Felipe Sateler   Wed, 06 Nov 2019 08:12:18 -0300
+
 phpmyadmin (4:4.6.6-4) unstable; urgency=medium
 
   * Build depend on locales-all to ensure en_US.UTF-8 is available (see
diff -Nru phpmyadmin-4.6.6/debian/conf/apache.conf 
phpmyadmin-4.6.6/debian/conf/apache.conf
--- phpmyadmin-4.6.6/debian/conf/apache.conf2016-12-01 04:42:43.0 
-0300
+++ phpmyadmin-4.6.6/debian/conf/apache.conf2019-11-06 08:12:18.0 
-0300
@@ -29,7 +29,7 @@
 
 php_value include_path .
 php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp
-php_admin_value open_basedir 
/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
+php_admin_value open_basedir 
/usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/
 php_admin_value mbstring.func_overload 0
 
 
diff -Nru phpmyadmin-4.6.6/debian/control phpmyadmin-4.6.6/debian/control
--- phpmyadmin-4.6.6/debian/control