Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:Factory checked in at Mon Aug 1 10:18:53 CEST 2011.
-------- --- phpMyAdmin/phpMyAdmin.changes 2011-07-04 15:30:23.000000000 +0200 +++ /mounts/work_src_done/STABLE/phpMyAdmin/phpMyAdmin.changes 2011-07-29 17:10:57.000000000 +0200 @@ -1,0 +2,7 @@ +Fri Jul 29 14:57:01 UTC 2011 - [email protected] + +- update to 3.4.3.2 + o PMASA-2011-9 to PMASA-2011-12 + http://www.phpmyadmin.net/home_page/security/ + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- phpMyAdmin-3.4.3.1-all-languages.tar.bz2 New: ---- phpMyAdmin-3.4.3.2-all-languages.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.jf1KRn/_old 2011-08-01 10:17:41.000000000 +0200 +++ /var/tmp/diff_new_pack.jf1KRn/_new 2011-08-01 10:17:41.000000000 +0200 @@ -34,7 +34,7 @@ %endif Summary: Administration of MySQL over the web -Version: 3.4.3.1 +Version: 3.4.3.2 Release: 1 License: GPLv2+ Group: Productivity/Networking/Web/Frontends ++++++ phpMyAdmin-3.4.3.1-all-languages.tar.bz2 -> phpMyAdmin-3.4.3.2-all-languages.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/ChangeLog new/phpMyAdmin-3.4.3.2-all-languages/ChangeLog --- old/phpMyAdmin-3.4.3.1-all-languages/ChangeLog 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/ChangeLog 2011-07-23 14:42:50.000000000 +0200 @@ -1,6 +1,12 @@ phpMyAdmin - ChangeLog ====================== +3.4.3.2 (2011-07-23) +- [security] Fixed XSS vulnerability, see PMASA-2011-9 +- [security] Fixed local file inclusion vulnerability, see PMASA-2011-10 +- [security] Fixed local file inclusion vulnerability and code execution, see PMASA-2011-11 +- [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-12 + 3.4.3.1 (2011-07-02) - [security] Fixed possible session manipulation in swekey authentication, see PMASA-2011-5 - [security] Fixed possible code injection incase session variables are compromised, see PMASA-2011-6 @@ -95,7 +101,7 @@ + patch #2974341 [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass - dougboybhd + patch #2975533 [search] New search operators, thanks to - Martynas MickeviÄius + Martynas Mickevičius + patch #2967320 [designer] Colored relations based on the primary key, thanks to GreenRover - greenrover - [core] Provide way for vendors to easily change paths to config files. @@ -249,7 +255,7 @@ 3.3.7.0 (2010-09-07) - patch #3050492 [PDF scratchboard] Cannot drag table box to the edge after - a page size increase, thanks to Martin Schönberger - mad05 + a page size increase, thanks to Martin Schönberger - mad05 3.3.6.0 (2010-08-28) - bug #3033063 [core] Navi gets wrong db name @@ -270,7 +276,7 @@ 3.3.5.0 (2010-07-26) - patch #2932113 [information_schema] Slow export when having lots of - databases, thanks to Stéphane Pontier - shadow_walker + databases, thanks to Stéphane Pontier - shadow_walker - bug #3022705 [import] Import button does not work in Catalan when there is no progress bar possible - bug [replication] Do not offer information_schema in the list of databases @@ -310,9 +316,9 @@ - patch #2984893 [engines] InnoDB storage page emits a warning, thanks to Madhura Jayaratne - madhuracj - bug #2974687, bug #2974692 [compatibility] PHPExcel : IBM AIX iconv() does not work, - thanks to Björn Wiberg - bwiberg + thanks to Björn Wiberg - bwiberg - bug #2983066 [interface] Flush table on table operations shows the query twice, - thanks to Martynas MickeviÄius - BlinK_ + thanks to Martynas Mickevičius - BlinK_ - bug #2983060, patch #2987900 [interface] Fix initial state of tables in designer, thanks to Sutharshan Balachandren. - bug #2983062, patch #2989408 [engines] Fix warnings when changing table @@ -391,7 +397,7 @@ + rfe #2839504 [engines] Support InnoDB plugin's new row formats + [core] Added ability for synchronizing databases among servers. + [lang] #2843101 Dutch update, thanks to scavenger2008 -+ [lang] Galician update, thanks to Xosé Calvo - xosecalvo ++ [lang] Galician update, thanks to Xosé Calvo - xosecalvo + [export] Added MediaWiki export module, thanks to Derek Schaefer - drummingds1 + [lang] Turkish update, thanks to Burak Yavuz diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/Documentation.html new/phpMyAdmin-3.4.3.2-all-languages/Documentation.html --- old/phpMyAdmin-3.4.3.1-all-languages/Documentation.html 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/Documentation.html 2011-07-23 14:42:50.000000000 +0200 @@ -9,7 +9,7 @@ <link rel="icon" href="./favicon.ico" type="image/x-icon" /> <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" /> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> - <title>phpMyAdmin 3.4.3.1 - Documentation</title> + <title>phpMyAdmin 3.4.3.2 - Documentation</title> <link rel="stylesheet" type="text/css" href="docs.css" /> </head> @@ -17,7 +17,7 @@ <div id="header"> <h1> <a href="http://www.phpmyadmin.net/";>php<span class="myadmin">MyAdmin</span></a> - 3.4.3.1 + 3.4.3.2 Documentation </h1> </div> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/Documentation.txt new/phpMyAdmin-3.4.3.2-all-languages/Documentation.txt --- old/phpMyAdmin-3.4.3.1-all-languages/Documentation.txt 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/Documentation.txt 2011-07-23 14:42:50.000000000 +0200 @@ -1,4 +1,4 @@ -phpMyAdmin 3.4.3.1 Documentation +phpMyAdmin 3.4.3.2 Documentation * Top * Requirements diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/README new/phpMyAdmin-3.4.3.2-all-languages/README --- old/phpMyAdmin-3.4.3.1-all-languages/README 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/README 2011-07-23 14:42:50.000000000 +0200 @@ -1,7 +1,7 @@ phpMyAdmin - Readme =================== -Version 3.4.3.1 +Version 3.4.3.2 A set of PHP-scripts to manage MySQL over the web. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/RELEASE-DATE-3.4.3.1 new/phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.1 --- old/phpMyAdmin-3.4.3.1-all-languages/RELEASE-DATE-3.4.3.1 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.1 1970-01-01 01:00:00.000000000 +0100 @@ -1 +0,0 @@ -Sun Jul 3 01:17:20 UTC 2011 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/RELEASE-DATE-3.4.3.2 new/phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.2 --- old/phpMyAdmin-3.4.3.1-all-languages/RELEASE-DATE-3.4.3.2 1970-01-01 01:00:00.000000000 +0100 +++ new/phpMyAdmin-3.4.3.2-all-languages/RELEASE-DATE-3.4.3.2 2011-07-23 14:42:50.000000000 +0200 @@ -0,0 +1 @@ +Sat Jul 23 12:41:41 UTC 2011 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/libraries/Config.class.php new/phpMyAdmin-3.4.3.2-all-languages/libraries/Config.class.php --- old/phpMyAdmin-3.4.3.1-all-languages/libraries/Config.class.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/libraries/Config.class.php 2011-07-23 14:42:50.000000000 +0200 @@ -96,7 +96,7 @@ */ function checkSystem() { - $this->set('PMA_VERSION', '3.4.3.1'); + $this->set('PMA_VERSION', '3.4.3.2'); /** * @deprecated */ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/libraries/auth/swekey/swekey.auth.lib.php new/phpMyAdmin-3.4.3.2-all-languages/libraries/auth/swekey/swekey.auth.lib.php --- old/phpMyAdmin-3.4.3.1-all-languages/libraries/auth/swekey/swekey.auth.lib.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/libraries/auth/swekey/swekey.auth.lib.php 2011-07-23 14:42:50.000000000 +0200 @@ -143,7 +143,9 @@ return "Internal Error: CA File $caFile not found"; $result = null; - parse_str($_SERVER['QUERY_STRING']); + $swekey_id = $_GET['swekey_id']; + $swekey_otp = $_GET['swekey_otp']; + if (isset($swekey_id)) { unset($_SESSION['SWEKEY']['AUTHENTICATED_SWEKEY']); if (! isset($_SESSION['SWEKEY']['RND_TOKEN'])) { @@ -166,7 +168,7 @@ $result = __('No valid authentication key plugged'); if ($_SESSION['SWEKEY']['CONF_DEBUG']) { - $result .= "<br>".$swekey_id; + $result .= "<br>" . htmlspecialchars($swekey_id); } unset($_SESSION['SWEKEY']['CONF_LOADED']); // reload the conf file } @@ -186,16 +188,16 @@ <script> if (key.length != 32) { - window.location.search="?swekey_id=" + key; + window.location.search="?swekey_id=" + key + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; } else { var url = "" + window.location; if (url.indexOf("?") > 0) url = url.substr(0, url.indexOf("?")); - Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>"); + Swekey_SetUnplugUrl(key, "pma_login", url + "?session_to_unset=<?php echo session_id();?>&token=<?php echo $_SESSION[' PMA_token ']; ?>"); var otp = Swekey_GetOtp(key, <?php echo '"'.$_SESSION['SWEKEY']['RND_TOKEN'].'"';?>); - window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp; + window.location.search="?swekey_id=" + key + "&swekey_otp=" + otp + "&token=<?php echo $_SESSION[' PMA_token ']; ?>"; } </script> <?php diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/libraries/schema/User_Schema.class.php new/phpMyAdmin-3.4.3.2-all-languages/libraries/schema/User_Schema.class.php --- old/phpMyAdmin-3.4.3.1-all-languages/libraries/schema/User_Schema.class.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/libraries/schema/User_Schema.class.php 2011-07-23 14:42:50.000000000 +0200 @@ -567,10 +567,13 @@ require_once './libraries/transformations.lib.php'; require_once './libraries/Index.class.php'; /** - * default is PDF + * default is PDF, otherwise validate it's only letters a-z */ global $db,$export_type; - $export_type = isset($export_type) ? $export_type : 'pdf'; + if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { + $export_type = 'pdf'; + } + PMA_DBI_select_db($db); include("./libraries/schema/".ucfirst($export_type)."_Relation_Schema.class.php"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/schema_export.php new/phpMyAdmin-3.4.3.2-all-languages/schema_export.php --- old/phpMyAdmin-3.4.3.1-all-languages/schema_export.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/schema_export.php 2011-07-23 14:42:50.000000000 +0200 @@ -37,7 +37,9 @@ * default is PDF */ global $db,$export_type; -$export_type = isset($export_type) ? $export_type : 'pdf'; +if (!isset($export_type) || !preg_match('/^[a-zA-Z]+$/', $export_type)) { + $export_type = 'pdf'; +} PMA_DBI_select_db($db); $path = PMA_securePath(ucfirst($export_type)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/sql.php new/phpMyAdmin-3.4.3.2-all-languages/sql.php --- old/phpMyAdmin-3.4.3.1-all-languages/sql.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/sql.php 2011-07-23 14:42:50.000000000 +0200 @@ -719,7 +719,7 @@ parse_str($_REQUEST['transform_fields_list'], $edited_values); foreach($mime_map as $transformation) { - $include_file = $transformation['transformation']; + $include_file = PMA_securePath($transformation['transformation']); $column_name = $transformation['column_name']; $column_data = $edited_values[$column_name]; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/phpMyAdmin-3.4.3.1-all-languages/tbl_printview.php new/phpMyAdmin-3.4.3.2-all-languages/tbl_printview.php --- old/phpMyAdmin-3.4.3.1-all-languages/tbl_printview.php 2011-07-03 03:18:28.000000000 +0200 +++ new/phpMyAdmin-3.4.3.2-all-languages/tbl_printview.php 2011-07-23 14:42:50.000000000 +0200 @@ -69,7 +69,7 @@ $tbl_list .= (empty($tbl_list) ? '' : ', ') . PMA_backquote($table); } - echo '<strong>'. __('Show tables') . ': ' . $tbl_list . '</strong>' . "\n"; + echo '<strong>'. __('Show tables') . ': ' . htmlspecialchars($tbl_list) . '</strong>' . "\n"; echo '<hr />' . "\n"; } // end if @@ -84,7 +84,7 @@ } $counter++; echo '<div' . $breakstyle . '>' . "\n"; - echo '<h1>' . $table . '</h1>' . "\n"; + echo '<h1>' . htmlspecialchars($table) . '</h1>' . "\n"; /** * Gets table informations ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
