Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
On Sat, 2020-03-28 at 12:10 +0530, Utkarsh Gupta wrote: > Hi Adam. > > On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt" > wrote: > > Control: tags -1 + confirmed > > Thanks. Please go ahead. > > For some reason, this upload never happened. > However, now, the maintainer, William (CCed here) has prepared these > CVE fixes + some new CVEs on top of this, too. > All of these CVE(s) have been fixed in unstable (and in Jessie, too). > > Please let me know if we have an ack from your side to upload the fix > for all the CVEs in Stretch? As Salvatore noted, the distribution should be "stretch", rather than "stretch-security". It would also be worth adding "found" versions to the bugs for the 2020 CVEs, to make it clearer that the also apply to the stretch packge. Other than that, please go ahead. Regards, Adam
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Hi, [disclaimer: not part of sthe SRMers, so this counts not as ack or nack] On Sat, Mar 28, 2020 at 12:10:12PM +0530, Utkarsh Gupta wrote: > Hi Adam. > > On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt" > wrote: > > Control: tags -1 + confirmed > > Thanks. Please go ahead. > > For some reason, this upload never happened. > However, now, the maintainer, William (CCed here) has prepared these > CVE fixes + some new CVEs on top of this, too. > All of these CVE(s) have been fixed in unstable (and in Jessie, too). > > Please let me know if we have an ack from your side to upload the fix > for all the CVEs in Stretch? > > Attaching the debdiff. The target distribution should be 'stretch' for the stretch-pu upload. Regards, Salvatore
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Hi Adam. On Tue, 28 Jan 2020 08:35:54 + "Adam D. Barratt" wrote: > Control: tags -1 + confirmed > Thanks. Please go ahead. For some reason, this upload never happened. However, now, the maintainer, William (CCed here) has prepared these CVE fixes + some new CVEs on top of this, too. All of these CVE(s) have been fixed in unstable (and in Jessie, too). Please let me know if we have an ack from your side to upload the fix for all the CVEs in Stretch? Attaching the debdiff. Best, Utkarsh debdiff Description: Binary data
Processed: Re: Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Processing control commands: > tags -1 + confirmed Bug #944228 [release.debian.org] stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1 Added tag(s) confirmed. -- 944228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Control: tags -1 + confirmed On 2019-11-12 01:24, Matthias Blümel wrote: phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues Thanks. Please go ahead. Regards, Adam
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues On Wed, 06 Nov 2019 11:50:51 + "Adam D. Barratt" < a...@adam-barratt.org.uk> wrote: > Control: tags -1 + moreinfo > > On 2019-11-06 11:23, Felipe Sateler wrote: > > This update fixes several security issues, plus an important bug. > > Additionally we fix the metadata reflecting the maintainership change. > > > > Here is the changelog, with debdiff attached. > > > > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium > > > > [ Matthias Blümel ] > > * Several security fixes > > - Cross-site scripting (XSS) vulnerability in > > db_central_columns.php > > (PMASA-2018-1, CVE-2018-7260, Closes: #893539) > > - Remove transformation plugin includes > > (PMASA-2018-6, CVE-2018-19968) > > - Fix Stored Cross-Site Scripting (XSS) in navigation tree > > (PMASA-2018-8, CVE-2018-19970) > > - Fix information leak (arbitrary file read) using SQL queries > > (PMASA-2019-1, CVE-2019-6799, Closes: #920823) > > - a specially crafted username can be used to trigger a SQL > > injection attack > > (PMASA-2019-2, CVE-2019-6798, Closes: #920822) > > - SQL injection in Designer feature > > (PMASA-2019-3, CVE-2019-11768, Closes: #930048) > > - CSRF vulnerability in login form > > (PMASA-2019-4, CVE-2019-12616, Closes: #930017) > > According to the BTS and Security Tracker, at least some of these issues > affect the package in unstable and aren't currently fixed there. Is that > correct? > > Regards, > > Adam > >
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
On Wed, Nov 6, 2019 at 8:51 AM Adam D. Barratt wrote: > Control: tags -1 + moreinfo > > On 2019-11-06 11:23, Felipe Sateler wrote: > > This update fixes several security issues, plus an important bug. > > Additionally we fix the metadata reflecting the maintainership change. > > > > Here is the changelog, with debdiff attached. > > > > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium > > > > [ Matthias Blümel ] > > * Several security fixes > > - Cross-site scripting (XSS) vulnerability in > > db_central_columns.php > > (PMASA-2018-1, CVE-2018-7260, Closes: #893539) > > - Remove transformation plugin includes > > (PMASA-2018-6, CVE-2018-19968) > > - Fix Stored Cross-Site Scripting (XSS) in navigation tree > > (PMASA-2018-8, CVE-2018-19970) > > - Fix information leak (arbitrary file read) using SQL queries > > (PMASA-2019-1, CVE-2019-6799, Closes: #920823) > > - a specially crafted username can be used to trigger a SQL > > injection attack > > (PMASA-2019-2, CVE-2019-6798, Closes: #920822) > > - SQL injection in Designer feature > > (PMASA-2019-3, CVE-2019-11768, Closes: #930048) > > - CSRF vulnerability in login form > > (PMASA-2019-4, CVE-2019-12616, Closes: #930017) > > According to the BTS and Security Tracker, at least some of these issues > affect the package in unstable and aren't currently fixed there. Is that > correct? > Yes, it is correct. This is because in unstable we are aiming for version 4.9, but we are waiting on some NEW packages for that upload to happen. -- Saludos, Felipe Sateler
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Control: tags -1 + moreinfo On 2019-11-06 11:23, Felipe Sateler wrote: This update fixes several security issues, plus an important bug. Additionally we fix the metadata reflecting the maintainership change. Here is the changelog, with debdiff attached. phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium [ Matthias Blümel ] * Several security fixes - Cross-site scripting (XSS) vulnerability in db_central_columns.php (PMASA-2018-1, CVE-2018-7260, Closes: #893539) - Remove transformation plugin includes (PMASA-2018-6, CVE-2018-19968) - Fix Stored Cross-Site Scripting (XSS) in navigation tree (PMASA-2018-8, CVE-2018-19970) - Fix information leak (arbitrary file read) using SQL queries (PMASA-2019-1, CVE-2019-6799, Closes: #920823) - a specially crafted username can be used to trigger a SQL injection attack (PMASA-2019-2, CVE-2019-6798, Closes: #920822) - SQL injection in Designer feature (PMASA-2019-3, CVE-2019-11768, Closes: #930048) - CSRF vulnerability in login form (PMASA-2019-4, CVE-2019-12616, Closes: #930017) According to the BTS and Security Tracker, at least some of these issues affect the package in unstable and aren't currently fixed there. Is that correct? Regards, Adam
Processed: Re: Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Processing control commands: > tags -1 + moreinfo Bug #944228 [release.debian.org] stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1 Added tag(s) moreinfo. -- 944228: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944228 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
Package: release.debian.org Severity: normal Tags: stretch User: release.debian@packages.debian.org Usertags: pu This update fixes several security issues, plus an important bug. Additionally we fix the metadata reflecting the maintainership change. Here is the changelog, with debdiff attached. phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium [ Matthias Blümel ] * Several security fixes - Cross-site scripting (XSS) vulnerability in db_central_columns.php (PMASA-2018-1, CVE-2018-7260, Closes: #893539) - Remove transformation plugin includes (PMASA-2018-6, CVE-2018-19968) - Fix Stored Cross-Site Scripting (XSS) in navigation tree (PMASA-2018-8, CVE-2018-19970) - Fix information leak (arbitrary file read) using SQL queries (PMASA-2019-1, CVE-2019-6799, Closes: #920823) - a specially crafted username can be used to trigger a SQL injection attack (PMASA-2019-2, CVE-2019-6798, Closes: #920822) - SQL injection in Designer feature (PMASA-2019-3, CVE-2019-11768, Closes: #930048) - CSRF vulnerability in login form (PMASA-2019-4, CVE-2019-12616, Closes: #930017) * Set Vcs-* to point to salsa * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all your work! [ Juri Grabowski ] * Fix Vcs- URLs [ William Desportes ] * Add debian gitlab pipelines config. [ Felipe Sateler ] * Set phpMyAdmin team as Maintainer [ Michal Čihař ] * Fix open_basedir setting for PHP 7 (Closes: #867882). > This is the non-security fix. THe default config was not updated for > changes in the php-gettext path for 7.0. -- Felipe Sateler Wed, 06 Nov 2019 08:12:18 -0300 Thanks for your consideration -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.2.0-3-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled diff -Nru phpmyadmin-4.6.6/debian/changelog phpmyadmin-4.6.6/debian/changelog --- phpmyadmin-4.6.6/debian/changelog 2017-04-07 11:54:26.0 -0300 +++ phpmyadmin-4.6.6/debian/changelog 2019-11-06 08:12:18.0 -0300 @@ -1,3 +1,40 @@ +phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium + + [ Matthias Blümel ] + * Several security fixes +- Cross-site scripting (XSS) vulnerability in db_central_columns.php + (PMASA-2018-1, CVE-2018-7260, Closes: #893539) +- Remove transformation plugin includes + (PMASA-2018-6, CVE-2018-19968) +- Fix Stored Cross-Site Scripting (XSS) in navigation tree + (PMASA-2018-8, CVE-2018-19970) +- Fix information leak (arbitrary file read) using SQL queries + (PMASA-2019-1, CVE-2019-6799, Closes: #920823) +- a specially crafted username can be used to trigger a SQL injection attack + (PMASA-2019-2, CVE-2019-6798, Closes: #920822) +- SQL injection in Designer feature + (PMASA-2019-3, CVE-2019-11768, Closes: #930048) +- CSRF vulnerability in login form + (PMASA-2019-4, CVE-2019-12616, Closes: #930017) + * Set Vcs-* to point to salsa + * Remove Thijs Kinkhorst and Michal Čihař from Uploaders. Thanks for all +your work! + + [ Juri Grabowski ] + * Fix Vcs- URLs + + [ William Desportes ] + * Add debian gitlab pipelines config. + + [ Felipe Sateler ] + * Set phpMyAdmin team as Maintainer + + [ Michal Čihař ] + * Fix open_basedir setting for PHP 7 (Closes: #867882). + + + -- Felipe Sateler Wed, 06 Nov 2019 08:12:18 -0300 + phpmyadmin (4:4.6.6-4) unstable; urgency=medium * Build depend on locales-all to ensure en_US.UTF-8 is available (see diff -Nru phpmyadmin-4.6.6/debian/conf/apache.conf phpmyadmin-4.6.6/debian/conf/apache.conf --- phpmyadmin-4.6.6/debian/conf/apache.conf2016-12-01 04:42:43.0 -0300 +++ phpmyadmin-4.6.6/debian/conf/apache.conf2019-11-06 08:12:18.0 -0300 @@ -29,7 +29,7 @@ php_value include_path . php_admin_value upload_tmp_dir /var/lib/phpmyadmin/tmp -php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/ +php_admin_value open_basedir /usr/share/phpmyadmin/:/etc/phpmyadmin/:/var/lib/phpmyadmin/:/usr/share/php/php-gettext/:/usr/share/php/php-php-gettext/:/usr/share/javascript/:/usr/share/php/tcpdf/:/usr/share/doc/phpmyadmin/:/usr/share/php/phpseclib/ php_admin_value mbstring.func_overload 0 diff -Nru phpmyadmin-4.6.6/debian/control phpmyadmin-4.6.6/debian/control --- phpmyadmin-4.6.6/debian/control