Neil McGovern wrote: > On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote: > > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports > > that sarge's phpmyadmin package has a security flaw which is occured only > > if > > "register_globals = on" setting is used. > > > > This feature is disabled in Debian package by default so I doubt if this is > > serious problem. I'd like to ask if I should prepare the new package for > > sarge or not? > > > > According to the advisory, all versions < 2.6.4-pl4 are affected > (2.7.0-beta1 from the development schema). > > This would mean that this affects sid and etch too. Has a bug been > filed/a CVE number assigned for this?
I don't know of one. We may have to go without one for the moment. Also, a second issue has just popped up: http://www.fitsec.com/advisories/FS-05-02.txt I'd be glad if you could provide patches and packages for both issues. (both because in the second the path disclosure is bogus for us since dpkg -c will disclose the path as well). Regards, Joey -- The only stupid question is the unasked one. Please always Cc to me when replying to me on the lists. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
