Acked-by: Otavio Salvador <[email protected]> On Sun, Nov 30, 2014 at 11:04 PM, Armin Kuster <[email protected]> wrote: > From: Roy Li <[email protected]> > > Cross-site scripting (XSS) vulnerability in the view operations page in > phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote > authenticated users to inject arbitrary web script or HTML via a crafted > view name, related to js/functions.js. > > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274 > > Signed-off-by: Roy Li <[email protected]> > Signed-off-by: Armin Kuster <[email protected]> > --- > ...4505-security-XSS-in-view-operations-page.patch | 43 > ++++++++++++++++++++++ > .../recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb | 1 + > 2 files changed, 44 insertions(+) > create mode 100644 > meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch > > diff --git > a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch > > b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch > new file mode 100644 > index 0000000..164a072 > --- /dev/null > +++ > b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/0001-bug-4505-security-XSS-in-view-operations-page.patch > @@ -0,0 +1,43 @@ > +From 0cd293f5e13aa245e4a57b8d373597cc0e421b6f Mon Sep 17 00:00:00 2001 > +From: Madhura Jayaratne <[email protected]> > +Date: Sun, 17 Aug 2014 08:41:57 -0400 > +Subject: [PATCH] bug #4505 [security] XSS in view operations page > + > +Upstream-Status: Backport > + > +Signed-off-by: Marc Delisle <[email protected]> > +--- > + ChangeLog | 3 +++ > + js/functions.js | 2 +- > + 2 files changed, 4 insertions(+), 1 deletion(-) > + > +diff --git a/ChangeLog b/ChangeLog > +index 7afac1a..cec9d77 100644 > +--- a/ChangeLog > ++++ b/ChangeLog > +@@ -1,6 +1,9 @@ > + phpMyAdmin - ChangeLog > + ====================== > + > ++4.2.7.1 (2014-08-17) > ++- bug #4505 [security] XSS in view operations page > ++ > + 4.2.7.0 (2014-07-31) > + - bug Broken links on home page > + - bug #4494 Overlap in navigation panel > +diff --git a/js/functions.js b/js/functions.js > +index 09bfeda..a970a81 100644 > +--- a/js/functions.js > ++++ b/js/functions.js > +@@ -3585,7 +3585,7 @@ AJAX.registerOnload('functions.js', function () { > + var question = PMA_messages.strDropTableStrongWarning + ' '; > + question += $.sprintf( > + PMA_messages.strDoYouReally, > +- 'DROP VIEW ' + PMA_commonParams.get('table') > ++ 'DROP VIEW ' + escapeHtml(PMA_commonParams.get('table')) > + ); > + > + $(this).PMA_confirm(question, $(this).attr('href'), function (url) { > +-- > +1.7.10.4 > + > diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb > b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb > index c267d89..447b778 100644 > --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb > +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.2.7.bb > @@ -7,6 +7,7 @@ LIC_FILES_CHKSUM = > "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a \ > > SRC_URI = > "${SOURCEFORGE_MIRROR}/phpmyadmin/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz > \ > file://0001-bug-4504-security-Self-XSS-in-query-charts.patch \ > + file://0001-bug-4505-security-XSS-in-view-operations-page.patch \ > file://apache.conf" > > SRC_URI[md5sum] = "0dcd755450dac819f33502590c88ad29" > -- > 1.9.1 >
-- Otavio Salvador O.S. Systems http://www.ossystems.com.br http://code.ossystems.com.br Mobile: +55 (53) 9981-7854 Mobile: +1 (347) 903-9750 -- _______________________________________________ Openembedded-devel mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-devel
