Your message dated Mon, 20 Apr 2009 12:52:28 +0200
with message-id <[email protected]>
and subject line Re: Bug#524804: more info
has caused the Debian Bug report #524804,
regarding phpmyadmin: insufficient output sanitizing
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
524804: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=524804
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: phpmyadmin
severity: important
tags: security
hello,
fedora issued a security update for myphpadmin [0]:
Improvements for 3.1.3.2: - [security] Insufficient output sanitizing
when generating configuration file
http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
does this problem affect debian and should it be tracked as a security
issue? thanks.
[0] https://admin.fedoraproject.org/updates/F10/FEDORA-2009-3700
--- End Message ---
--- Begin Message ---
Version: 4:3.1.3.2-1
On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> i was looking at the link as provided in redhat's announcement. this
> seems to be CVE-2009-1285, which debian is already tracking as
> unimportant. however, the phpmyadmin page considers the issue to be
> critical. perhaps the debian severity is too low?
This is because Debian by default protects the setup.php page with a
htaccess-style login and the config file is not writable, thus making the
vulnerability hard to exploit. I commented this reasoning in my commit
message to the tracker.
As you can also find in the security tracker:
http://security-tracker.debian.net/tracker/CVE-2009-1285
all affected suites (squeeze/sid) are already updated with the new
version. Therefore we can close this bug.
I appreciate your effort in filing security bugs, but it helps to cross
reference them to the security tracker before so we prevent unnecessary
filings.
thanks,
Thijs
--- End Message ---
