Re: PMASA-2005-6 when "register_globals = on"
On Tue, 15 Nov 2005, Steve Kemp wrote: > On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > > that sarge's phpmyadmin package has a security flaw which is occured only > > if > > "register_globals = on" setting is used. > > > > This feature is disabled in Debian package by default so I doubt if this is > > serious problem. I'd like to ask if I should prepare the new package for > > sarge or not? > > I think an upload would be justified. Agreed. I know from real life that many servers are *forced* to run with register_globals = on, due to reasons I'd rather not comment upon. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PMASA-2005-6 when "register_globals = on"
On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > that sarge's phpmyadmin package has a security flaw which is occured only if > "register_globals = on" setting is used. > > This feature is disabled in Debian package by default so I doubt if this is > serious problem. I'd like to ask if I should prepare the new package for > sarge or not? I think an upload would be justified. Steve -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PMASA-2005-6 when "register_globals = on"
Neil McGovern wrote: > On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > > that sarge's phpmyadmin package has a security flaw which is occured only > > if > > "register_globals = on" setting is used. > > > > This feature is disabled in Debian package by default so I doubt if this is > > serious problem. I'd like to ask if I should prepare the new package for > > sarge or not? > > > > According to the advisory, all versions < 2.6.4-pl4 are affected > (2.7.0-beta1 from the development schema). > > This would mean that this affects sid and etch too. Has a bug been > filed/a CVE number assigned for this? I don't know of one. We may have to go without one for the moment. Also, a second issue has just popped up: http://www.fitsec.com/advisories/FS-05-02.txt I'd be glad if you could provide patches and packages for both issues. (both because in the second the path disclosure is bogus for us since dpkg -c will disclose the path as well). Regards, Joey -- The only stupid question is the unasked one. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: PMASA-2005-6 when "register_globals = on"
On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > that sarge's phpmyadmin package has a security flaw which is occured only if > "register_globals = on" setting is used. > > This feature is disabled in Debian package by default so I doubt if this is > serious problem. I'd like to ask if I should prepare the new package for > sarge or not? > According to the advisory, all versions < 2.6.4-pl4 are affected (2.7.0-beta1 from the development schema). This would mean that this affects sid and etch too. Has a bug been filed/a CVE number assigned for this? Cheers, Neil -- __ .` `. [EMAIL PROTECTED] | Application Manager : :' ! | Secure-Testing Team member '. `- gpg: B345BDD3| Webapps Team member `- Please don't cc, I'm subscribed to the list -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
PMASA-2005-6 when "register_globals = on"
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports that sarge's phpmyadmin package has a security flaw which is occured only if "register_globals = on" setting is used. This feature is disabled in Debian package by default so I doubt if this is serious problem. I'd like to ask if I should prepare the new package for sarge or not? -- .''`.Piotr Roszatycki, Netia SA : :' :mailto:[EMAIL PROTECTED] `. `' mailto:[EMAIL PROTECTED] `- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
