Your message dated Sun, 10 Nov 2019 15:38:18 +0000
with message-id <e1itpia-0008oh...@fasolo.debian.org>
and subject line Bug#920822: fixed in phpmyadmin 4:4.9.1+dfsg1-2
has caused the Debian Bug report #920822,
regarding phpmyadmin: CVE-2019-6798: PMASA-2019-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
920822: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920822
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: phpmyadmin
Version: 4:4.6.6-5
Severity: grave
Tags: security upstream
Control: found -1 4:4.6.6-4

Hi,

The following vulnerability was published for phpmyadmin.

CVE-2019-6798[0]:
| An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was
| reported where a specially crafted username can be used to trigger a
| SQL injection attack through the designer feature.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-6798
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6798
[1] https://www.phpmyadmin.net/security/PMASA-2019-2/

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:4.9.1+dfsg1-2

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 920...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Matthias Blümel <deb...@blaimi.de> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 01 Nov 2019 19:33:40 +0100
Source: phpmyadmin
Architecture: source
Version: 4:4.9.1+dfsg1-2
Distribution: unstable
Urgency: medium
Maintainer: phpMyAdmin Packaging Team <team+phpmyad...@tracker.debian.org>
Changed-By: Matthias Blümel <deb...@blaimi.de>
Closes: 772741 883417 884827 890595 893539 896490 914673 917755 920822 920823 
930017 930048 943209
Changes:
 phpmyadmin (4:4.9.1+dfsg1-2) unstable; urgency=medium
 .
   * Adjust open_basedir setting for ubuntu eoan
 .
 phpmyadmin (4:4.9.1+dfsg1-1) unstable; urgency=medium
 .
   * New upstream version 4.9.1.
   * Remove webbased setup (Closes: #772741)
   * Check for weak blowfish key and regenerate if necessary during update
   * fix avahi service-installation (Closes: #914673, LP: #1293558)
   * fix bug in sql-script for non-default tablename (Closes: #884827)
 .
 phpmyadmin (4:4.9.0.1+dfsg1-1) unstable; urgency=medium
 .
   [ Matthias Blümel ]
   * New upstream version 4.9.0.1.
   * Update Package for new composer-oriented structure in upstream
   * Update Traslations
     - Catalan
     - Ukrainian
     - Chinese (Traditional)
   * New Translations
     - Romanian
     - Indonesian
   * New upstream release, fixing several security issues:
     - Warings when running under php 7.2
       (Closes: #890595)
     - FTBFS with phpunit 6.4.4-2
       (Closes: #883417, Closes: #917755)
     - Bypass $cfg['Servers'][$i]['AllowNoPassword']
       (PMASA-2017-8, CVE-2017-18264)
     - XSRF/CSRF vulnerability in phpMyAdmin
       (PMASA-2017-9, CVE-2017-1000499)
     - Self XSS in central columns feature
       (PMASA-2018-1, CVE-2018-7260, Closes: #893539)
     - CSRF vulnerability allowing arbitrary SQL execution
       (PMASA-2018-2, CVE-2018-10188, Closes: #896490)
     - XSS in Designer feature
       (PMASA-2018-3, CVE-2018-12581)
     - Bug that can be used for XSS when importing files
     - Local file inclusion
       (PMASA-2018-6, CVE-2018-19968)
     - XSRF/CSRF vulnerabilities allowing a to perform harmful operations
       (PMASA-2018-7, CVE-2018-19969)
     - an XSS vulnerability in the navigation tree
       (PMASA-2018-8, CVE-2018-19970)
     - Arbitrary file read vulnerability
       (PMASA-2019-1, CVE-2019-6799, Closes: #920823)
     - SQL injection in the Designer interface
       (PMASA-2019-2, CVE-2019-6798, Closes: #920822)
     - SQL injection in Designer feature
       (PMASA-2019-3, CVE-2019-11768, Closes: #930048))
     - CSRF vulnerability in login form
       (PMASA-2019-4, CVE-2019-12616, Closes: #930017)
   * patch to allow twig in version 2
   * adjust autoload path with libapache2-mod-php, load Twig-Extensions and 
tcpdf
   * adjust apache-config with open_basedir for dependencies
   * Set TempDir to /var/lib/phpmyadmin/tmp for twig-cache
   * add config-table upgrade for version 4.7.0+
   * enable unittests and patch to use phpunit 7, fix build-deps
   * update to standards-version 4.3.0
   * add Debian CI testfile
   * depend on python3-sphinx instead of python-sphinx which is python2 
(Closes: #943209)
   * don't chown tmp-dir recursive and remove useless entries in 'dirs'
   * add sensible-utils to dependencies for .desktop-file
   * simplify apache-config
     * mbstring.func_overload = 0 is default and not set 
(/etc/php/7.3/apache2/php.ini)
     * SetHandler is now in the configuration of libapache2-mod-php 
(/etc/apache2/mods-available/php7.3.conf)
     * AddType seems not to be necessary anymore, it's in the mime-database 
(/etc/mime.types)
   * use autoload.php instead of vendor/autoload.php
   * use libjs-openlayers instead of bundled ones.
   * include copyright information from included vendor-source
   * cleanup lintian overrides
 .
   [ Felipe Sateler ]
   * Exclude vendor dir from upstream tarball imports
   * Add new build-dependencies
   * Add autoload generation
   * Fix Config file location
   * Add phpcomposer substvars to control file
   * Fix js paths in debian/rules
   * Set phpMyAdmin team as Maintainer
 .
   [ Juri Grabowski ]
   * define composer as Build-Depends, Fix Vcs- URLs
   * apache2.2-common -> apache2-data
Checksums-Sha1:
 db30c657beb422cfcab4ae2f0504a46a33fc07c1 2700 phpmyadmin_4.9.1+dfsg1-2.dsc
 faaeaa981f613b23d4f9afc2c5b343fcad84b3f2 94188 
phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz
 07d1363135b7f0255407f6af5355126276b02186 11322440 
phpmyadmin_4.9.1+dfsg1.orig.tar.xz
Checksums-Sha256:
 a205fa69ec52834e772ebd619203fad6a46ff1bdc9865c28142935d24186dc7a 2700 
phpmyadmin_4.9.1+dfsg1-2.dsc
 d6877f4ca7a9ea49bdb8608f16342207c4703a0db68fd607a4fa41dfa9294a42 94188 
phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz
 5774cd30ffd4d3369a3083d7e04ef60a651647fd4da749cb53285fa0fb16459a 11322440 
phpmyadmin_4.9.1+dfsg1.orig.tar.xz
Files:
 bc93c0fec95473d080304848d649c6d1 2700 web optional phpmyadmin_4.9.1+dfsg1-2.dsc
 f440b671f55d71f64b648761af63ff51 94188 web optional 
phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz
 76668ca2166ce668cf4915338be16d4d 11322440 web optional 
phpmyadmin_4.9.1+dfsg1.orig.tar.xz

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEIY7gNiAzyHtsE1+ko7q64kCN1s8FAl3IJCwUHGZzYXRlbGVy
QGRlYmlhbi5vcmcACgkQo7q64kCN1s8OARAAmCGEXxYkXJh02TWnbISOxqm8KL/1
DVOHbAuJtYemnLVlBNr5glPh7Ttx+N/ZiLbgNpJwxqEvTxKO2w3erpoW9vd4ICW7
8rZOpLh5hJW54fAHz4kdYiYuN0B2pvaZ/iqCLTt9DjBHZHDJud7nUFPciFMUoigb
nFjp7yH1aBM50m4bNkvh2wDn740/SUOcaO+va4mMc43o15YqWerwrxEvfgvwrgnM
znzaGrkwYL1KGi6MGrBufAIzxABWCgmFGFq4B/fNliG/XxDcGj4OxpoUs4H/mw88
/G0aWYWq4Eajq1Vi+k2HqEjnEJpHIQBd6ykSDKDctInzlEfy3ot8/p6MrWjIpEfg
VMvyGOwg6Ya7FiV5YxVXxcN/5Ly4S8R58Tz66W/Dz6uWMcMQFSnKaiIlr8woFBDf
D9z1j8HFRv4r1ha1h3gY6rJtKBfkYENRMSd7JgsKk6iahzJpJWYksE+SusYWw08W
XOC2DOiAnGFaND0CXNq67tvs+G8pwv87yxACemY29WUwjle/0N6yJ3Exf2K4RvhC
EC4H7wcY74LfTro2xtnzIE7KRc0iG8e5yFylJjdT2OqYutTwBBibcod+An/D1n7u
wncfVkHD0AEB0NDU31L7Yn2p03a+upaD5ErgOKNJ0r66Rd8KfIYC2s5ouwSvV1G2
8thkti3V7G1FT0w=
=k+MP
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to