Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:Factory checked in at 2016-08-22 10:07:11 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/phpMyAdmin (Old) and /work/SRC/openSUSE:Factory/.phpMyAdmin.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "phpMyAdmin" Changes: -------- --- /work/SRC/openSUSE:Factory/phpMyAdmin/phpMyAdmin.changes 2016-06-25 02:23:37.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.phpMyAdmin.new/phpMyAdmin.changes 2016-08-22 10:07:13.000000000 +0200 @@ -1,0 +2,104 @@ +Thu Aug 18 13:31:57 UTC 2016 - [email protected] + +- 4.6.4 (2016-08-16) + - securitiy fixes + * Improve session cookie code for openid.php and signon.php example + files + * Full path disclosure in openid.php and signon.php example files + * Unsafe generation of BlowfishSecret (when not supplied by the user) + * Referrer leak when phpinfo is enabled + * Use HTTPS for wiki links + * Improve SSL certificate handling + * Fix full path disclosure in debugging code + * Administrators could trigger SQL injection attack against users + - other fixes + * Remove Swekey support + * Include X-Robots-Tag header in responses + * Enforce numeric field length when creating table + * Fixed invalid Content-Length in some HTTP responses + * gh#12394 Create view should require a view name + * gh#12391 Message with 'Change password successfully' displayed, + but does not take effect + * Tighten control on PHP sessions and session cookies + * gh#12409 Re-enable overhead on server databases view + * gh#12414 Fixed rendering of Original theme + * gh#12413 Fixed deleting users in non English locales + * gh#12416 Fixed replication status output in Databases listing + * gh#12303 Avoid typecasting to float when not needed + * gh#12425 Duplicate message variable names in messages.inc.php + * gh#12399 Adding index to table shows wrong top navigation + * gh#12424 Fixed password change on MariaDB without auth plugin + * gh#12339 Do not error on unset server port + * gh#12422 Improvements to the original theme + * gh#12395 Do not try to load old transformation plugins + * gh#12423 Fixed replication status in database listing + * gh#12433 Copy table with prefix does not copy the indexes + * gh#12375 Search in database: Window content is not scrolling down + when clicking first time on Browse link + * gh#12346 SQL Editor textareas can have their size increased from + the top, distorting the page view +- fix for boo#994313 + https://www.phpmyadmin.net/security/ + * Weaknesses with cookie encryption + see PMASA-2016-29 (CVE-2016-6606, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-30 (CVE-2016-6607, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-31 (CVE-2016-6608, CWE-661) + * PHP code injection + see PMASA-2016-32 (CVE-2016-6609, CWE-661) + * Full path disclosure + see PMASA-2016-33 (CVE-2016-6610, CWE-661) + * SQL injection attack + see PMASA-2016-34 (CVE-2016-6611, CWE-661) + * Local file exposure through LOAD DATA LOCAL INFILE + see PMASA-2016-35 (CVE-2016-6612, CWE-661) + * Local file exposure through symlinks with UploadDir + see PMASA-2016-36 (CVE-2016-6613, CWE-661) + * Path traversal with SaveDir and UploadDir + see PMASA-2016-37 (CVE-2016-6614, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-38 (CVE-2016-6615, CWE-661) + * SQL injection vulnerability as control user + see PMASA-2016-39 (CVE-2016-6616, CWE-661) + * SQL injection vulnerability + see PMASA-2016-40 (CVE-2016-6617, CWE-661) + * Denial-of-service attack through transformation feature + see PMASA-2016-41 (CVE-2016-6618, CWE-661) + * SQL injection vulnerability as control user + see PMASA-2016-42 (CVE-2016-6619, CWE-661) + * Verify data before unserializing + see PMASA-2016-43 (CVE-2016-6620, CWE-661) + * SSRF in setup script + see PMASA-2016-44 (CVE-2016-6621, CWE-661) + * Denial-of-service attack with + $cfg['AllowArbitraryServer'] = true and persistent connections + see PMASA-2016-45 (CVE-2016-6622, CWE-661) + * Denial-of-service attack by using for loops + see PMASA-2016-46 (CVE-2016-6623, CWE-661) + * Possible circumvention of IP-based allow/deny rules with IPv6 and + proxy server + see PMASA-2016-47 (CVE-2016-6624, CWE-661) + * Detect if user is logged in + see PMASA-2016-48 (CVE-2016-6625, CWE-661) + * Bypass URL redirection protection + see PMASA-2016-49 (CVE-2016-6626, CWE-661) + * Referrer leak + see PMASA-2016-50 (CVE-2016-6627, CWE-661) + * Reflected File Download + see PMASA-2016-51 (CVE-2016-6628, CWE-661) + * ArbitraryServerRegexp bypass + see PMASA-2016-52 (CVE-2016-6629, CWE-661) + * Denial-of-service attack by entering long password + see PMASA-2016-53 (CVE-2016-6630, CWE-661) + * Remote code execution vulnerability when running as CGI + see PMASA-2016-54 (CVE-2016-6631, CWE-661) + * Denial-of-service attack when PHP uses dbase extension + see PMASA-2016-55 (CVE-2016-6632, CWE-661) + * Remove tode execution vulnerability when PHP uses dbase extension + see PMASA-2016-56 (CVE-2016-6633, CWE-661) +- fix deps + * add missing php-gettext +- rebase phpMyAdmin-config.patch + +------------------------------------------------------------------- Old: ---- phpMyAdmin-4.6.3-all-languages.tar.xz phpMyAdmin-4.6.3-all-languages.tar.xz.asc New: ---- phpMyAdmin-4.6.4-all-languages.tar.xz phpMyAdmin-4.6.4-all-languages.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.wcwanM/_old 2016-08-22 10:07:14.000000000 +0200 +++ /var/tmp/diff_new_pack.wcwanM/_new 2016-08-22 10:07:14.000000000 +0200 @@ -29,7 +29,7 @@ %define ap_grp nogroup %endif Name: phpMyAdmin -Version: 4.6.3 +Version: 4.6.4 Release: 0 Summary: Administration of MySQL over the web License: GPL-2.0+ @@ -52,6 +52,7 @@ Requires: mod_php_any >= 5.5 Requires: php-bz2 Requires: php-gd +Requires: php-gettext Requires: php-iconv Requires: php-json Requires: php-mbstring ++++++ phpMyAdmin-4.6.3-all-languages.tar.xz -> phpMyAdmin-4.6.4-all-languages.tar.xz ++++++ ++++ 15124 lines of diff (skipped) ++++++ phpMyAdmin-config.patch ++++++ --- /var/tmp/diff_new_pack.wcwanM/_old 2016-08-22 10:07:17.000000000 +0200 +++ /var/tmp/diff_new_pack.wcwanM/_new 2016-08-22 10:07:17.000000000 +0200 @@ -45,7 +45,7 @@ + +/** * This is needed for cookie based authentication to encrypt password in - * cookie + * cookie. Needs to be 32 chars long. + * + * YOU MUST FILL IN THIS FOR COOKIE AUTH! */ @@ -60,7 +60,7 @@ */ $i = 0; -@@ -25,47 +68,155 @@ $i = 0; +@@ -25,45 +68,155 @@ $i = 0; * First server */ $i++; @@ -127,8 +127,6 @@ -// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; -// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; --/* Contrib / Swekey authentication */ --// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; +$cfg['Servers'][$i]['controlhost'] = 'localhost'; +$cfg['Servers'][$i]['controlport'] = ''; +/* ++++++ phpMyAdmin-pma.patch ++++++ --- /var/tmp/diff_new_pack.wcwanM/_old 2016-08-22 10:07:17.000000000 +0200 +++ /var/tmp/diff_new_pack.wcwanM/_new 2016-08-22 10:07:17.000000000 +0200 @@ -13,3 +13,15 @@ -- -------------------------------------------------------- +Index: config.sample.inc.php +=================================================================== +--- config.sample.inc.php.orig ++++ config.sample.inc.php +@@ -202,7 +202,6 @@ $cfg['Servers'][$i]['savedsearches'] + $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; + $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; + $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; +-$cfg['Servers'][$i]['auth_swekey_config'] = ''; + */ + + /** ++++++ phpMyAdmin.keyring ++++++ --- /var/tmp/diff_new_pack.wcwanM/_old 2016-08-22 10:07:17.000000000 +0200 +++ /var/tmp/diff_new_pack.wcwanM/_new 2016-08-22 10:07:17.000000000 +0200 @@ -479,6 +479,52 @@ nuNOb0hz/9EA42nix1i+nNM9tLJeSk6xuU5iBmILJECR9Ku12BFrn+IVdD5eElh/ 3E7gABPIVgtr+XfPKf4rkK2G0C8rap+SlSsV6yl4ERtjPuHKPfPNtPnEIOSb2Vjr kca1ZiPiutsGnQFyjEks7cMYc09UMRa7G3wejSU4pR7HrrgvNk0egcO/zh/Sew59 -gdi0WntFEdmqB431mw== -=sUWP +gdi0WntFEdmqB431m5kCDQRXoKIiARAAzBwbBui7mxdMbRUNKi7zQvEUo3iflJp+ +YcIDXaFr0PACA0r82Jg7XOqUOmnUu/1srsJlLJuVxHmOy3BG8fecbunzooS23EcL +2Fp/ntMuQr7pK8VmzxvlOenPASXf+RW7puOV/chRpsq6cCNTUSQ4zr0Zr+3j9m21 +3l8EbVw4c+YQlFrwpdS+RYkH9cvRoqUcFQAMlmWGOvSJtFynH0FX56m1/Ay1ASTf +Zu7sn7U1c5auwOmIkVRboQaulDahRxkuXrd7cNP1c6/ggyIgXlTtG2/fpXPOIJ08 +iA1U9nYU8t7T8Xp9WlQjkSoYatJjQyRTfm2bbJWrQ8c4jdNyPCqQhmuZdh/YRdy3 +yFAbPoZMG8C+FxEfgJ/Q5ZQLCx5cXdndpIsXKf2+cMnlxDziuUM4Nz16CIAqvo59 +Q666G0t7e+fQ8IdvPfU30HPxQHfF3kmuqWUoW5jQOb1kwOGpozT3BEY6ELVIa7Mc +A+dLf9nIPTPlZ3F0GvySR1iuQYU0aWh54hb1TE4ogH5IhRjrEtbiyQm25sqPUBCK +1KGW6NciqHNXKksTldEjYeYyUz2BCN+LpisEqAfpMRKAvHnz9rTYmfd4HAMiJKgw +++U9EjbG7nDUxjaJ2ti5BhbH2RJCcI8BQM8P+S0SSVezwaEc9Ibd+41FfUHjplgk +dhVFyopvyCUAEQEAAbQycGhwTXlBZG1pbiBTZWN1cml0eSBUZWFtIDxzZWN1cml0 +eUBwaHBteWFkbWluLm5ldD6JAjcEEwEIACEFAlegoiICGwMFCwkIBwMFFQoJCAsF +FgIDAQACHgECF4AACgkQ2mirOSGKuUcFww/+MdyJg7NhzSkW3mNQy9yrZKHc3vmJ +o4wdGgv7EMvDbSXv4dn1WMz++DoN32auA8ol/MrCzFXa8iThsbf+Bp24YqA9XdF5 +veHXnsETG5toBRxcAe2vHSTP6BW10j5CzsCzDzwnP7MD2jILESdwvL5iyQjb3sUq +dk3iHEQV3C8hUYGnaiL4cBtCCBf4dpNwN/OVFQXuEf5u8otdgGci2cSulK74m/Re +5NcL1F/+Qcksj7nOxAWoEIP3lGSclTE1cnS95pR5GpTk23+dPWxUk7mHBl62K0fu +QUTIGouZpg2nEL8VCxieE4HNw6ueSDCSlSNCOqQKGq+14OdRtnPwlrXmGL+3dSWs +w8qJA+AUVtnKOuQ+w8ohJ5KuPssb/W52e/mIQ3F5O5JJH3V0F8lAY7Go4cG2zpHh +Wjscu6RDNkMtpP3MCGpBpg9yZmtMJ7eKRtjusJh8KzSokJ+lyryX3ZOEFKMcofkj +/0Z6o8FHj5cnI/eVUcT03J3OheKFHj5l78ZO4S9NPBP6RGr1b0zSGZKrWt+gZ91u +k0s7VeNvZq1yMsmt21FG6TkVPj+LKSMX/nZ7zhWaZ76eJ2eYpSEnszW+7MTws9rN +hKxb3jeKm7VuJk5Ygd3OFM0jvN9V0Q0S3wlbr9wfXiEg8AIqVwKtCkJWhqLqIZoT +ExGeJbK27IfmEGO5Ag0EV6CiIgEQAN2LmzsfU3fpRdH/P4ZmSmmC5wzQWYPS/Dob +ZJPpE+HSiymyyOholcZzV5wDfbnXBggXlKd4Ecqy7NaNGDHMxUPRu3pK0pcNcZC2 +QoopamKX0GiGuIovTWUGrY1r06Gc8zWKuAzbxc+vSgDRiWbu+fHdPT+jhUQJ+7If +IpT6fcHr0rARKI5b2xaa0erqfV/B+Qw+/uydw2o1e+9gAthnzd7pBWzpaGnc829P +U9+u3nhep7TTwvIkZI0gBzlhPQrDdjfc/ukJCOQ8JnlFCGRHWM0tbnthJ3FDGucZ +VQVfar+L3ia/V/++NRYOfL+hNOB8Rkj4YvTR7VgXJa3PKea8qgyGkOPHbeMpJ55w +vCyexGdOqQyLNqwCtXVD41nGIyWAqTu1LBpQn33vxQ6eEcLQ/mJm8adCXaVrcwiD +e1O+bYWrebmPEWxLh6vCZ8Odpa79gZ2tjBh1W0xacsaiWH0YbnNjeBX06M8cwELm +8KJJlpRic4hw4zEnszGQSdYO1jQ0A1fat+q4zekqFqhA04w6+bu91jYgLFs6PK/W +tquKnL8EHsuNa5/43hAQzxr4TeMse3VFqBXShgQFxjyGVSbR0KTPJKBb+rN7z0jl +H0cKW6BqXtOMkHMeqqBJB8d94DdgSyj15TB8a+3oxYH7fyTw19iyNhWiuvk7/Gpo +nAqhr2qNABEBAAGJAh8EGAEIAAkFAlegoiICGwwACgkQ2mirOSGKuUceaRAAowuk +DF7Nlnasozrh6AYlRNhrT/KQ0u38iuzxdftw8ONXRTQ1RiIwzQAQcRoFvN5yq1ft +9EgK3rTbEV9KSiMH5e1HGs1RTRMdmPPSh0507hiMjAvApOpJhDO0ODodNLzye4bt +ZrIrHh+nw/wlWBYX/DDl5vo8BUWyDTyA17Bt4P0za9WQKCez6QK01upM+h7fQKzz +JJFvuWH+rGxDS83Bes+QRMhtKYWqTB7MGwPUPswCc2dzq97914pR2+8fJhfmHzB1 +6KadYM+oe1/XlO4RzSo2cpBHss5WL12/b6CGrIS5FcjosLGbco0YzQGoRn/FLU/M +dINWyVVjHx6SK2RnM/p9k5RULeK0bYZCw2kU/TCjrh7WMbGf1qXBzb77mHBpzb6r +Hprtwt0+ztKFVF8kDTqh9NOx3eCRUJ0xVgu3anYdm857q6H/nED33wO1MesU6FqL +8G/5Uo243jCgtOtzmiyucxHNG1S/qyjF/0iz+m3oBa3+aL5S8a5im7hV235S7Nng +c6qZp/l+Rm4qIR2IPYA5R8G5OvdDmgkdpkV764prh0kjIUMF5RGr1UXyVpIxBwI3 +MN3RZjWrI6uO/+GyenlH3z4xGRynBnVLqukUy0Y175jsQDO0XZQpJeN8eNeGggbC +eBSXxBqkCxwoDujCb11Pxrgn0sKI8zAmokL1oFc= +=PdQl -----END PGP PUBLIC KEY BLOCK-----
