Bug#1010360: Set-systemwide-default-settings-for-libssl-users.patch is broken (duplicate key for openssl_conf)
Package: openssl Version: 3.0.2-1 The openssl.cnf contains an entry for openssl_conf since #12333 [1]. The attached patch-file should work but I haven't tested it yet. [1] https://github.com/openssl/openssl/pull/12333 From: Sebastian Andrzej Siewior Date: Tue, 20 Mar 2018 22:07:30 +0100 Subject: Set systemwide default settings for libssl users This config change enforeces a TLS1.2 protocol version as minimum. It can be overwritten by the system administrator. It also changes the default security level from 1 to 2, moving from the 80 bit security level to the 112 bit security level. Signed-off-by: Sebastian Andrzej Siewior --- apps/openssl.cnf | 13 + 1 file changed, 13 insertions(+) --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -52,6 +52,7 @@ [openssl_init] providers = provider_sect +ssl_conf = ssl_sect # List of providers to load [provider_sect] @@ -388,3 +389,10 @@ # Certificate revocation cmd = rr oldcert = $insta::certout # insta.cert.pem + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +MinProtocol = TLSv1.2 +CipherString = DEFAULT@SECLEVEL=2 smime.p7s Description: S/MIME cryptographic signature
Bug#980375:
This is a problem in dpkg, see #626203 [1] for more details. On pma 4.9 this was a directory, pma 5.0 changed this to a symlink. I stumbled upon this problem already the other way around when changing a symlink to a real directory. If I remember right, I removed the symlink in preinst. Otherwise the contents of the folder has been extracted to the location where the symlink pointed to. [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626203 Am Mittwoch, dem 20.01.2021 um 11:50 +0100 schrieb brainpower: > Hi! > > Am 20.01.21 um 00:41 schrieb William Desportes: > > libjs-codemirror do you have installed ? > > > I don't think this is an libjs-codemirror issue. > On my systems, after updating from phpmyadmin 4:4.9.7+dfsg1-1~bpo10+1 > to 4:5.0.4+dfsg2-1~bpo10+1, > I've got the following situation, where there is no Symlink into the > codemirror files, > so it should not matter which version it is: > > # apt policy phpmyadmin > phpmyadmin: > Installiert: 4:5.0.4+dfsg2-1~bpo10+1 > Installationskandidat: 4:5.0.4+dfsg2-1~bpo10+1 > Versionstabelle: > *** 4:5.0.4+dfsg2-1~bpo10+1 100 > 100 http://deb.debian.org/debian buster-backports/main amd64 > Packages > 100 /var/lib/dpkg/status > > # pwd > /usr/share/phpmyadmin/js/vendor/codemirror > > # ls -la > insgesamt 20 > drwxr-xr-x 5 root root 4096 Nov 12 17:31 . > drwxr-xr-x 6 root root 4096 Jan 18 11:30 .. > drwxr-xr-x 5 root root 4096 Nov 12 17:31 addon > drwxr-xr-x 2 root root 4096 Jan 18 11:30 lib > drwxr-xr-x 5 root root 4096 Nov 12 17:31 mode > > # ls -la lib > insgesamt 8 > drwxr-xr-x 2 root root 4096 Jan 18 11:30 . > drwxr-xr-x 5 root root 4096 Nov 12 17:31 .. > > > Or is there something I'm missing, that would cause 'lib' to not be a > symlink depending on the libjs-codemirror version??? >
Bug#944228: stretch-pu: package phpmyadmin/4:4.6.6-4+deb9u1
phpmyadmin 4.9.1+dfsg1-2 is now in unstable which fixes these issues On Wed, 06 Nov 2019 11:50:51 + "Adam D. Barratt" < a...@adam-barratt.org.uk> wrote: > Control: tags -1 + moreinfo > > On 2019-11-06 11:23, Felipe Sateler wrote: > > This update fixes several security issues, plus an important bug. > > Additionally we fix the metadata reflecting the maintainership change. > > > > Here is the changelog, with debdiff attached. > > > > phpmyadmin (4:4.6.6-4+deb9u1) stretch; urgency=medium > > > > [ Matthias Blümel ] > > * Several security fixes > > - Cross-site scripting (XSS) vulnerability in > > db_central_columns.php > > (PMASA-2018-1, CVE-2018-7260, Closes: #893539) > > - Remove transformation plugin includes > > (PMASA-2018-6, CVE-2018-19968) > > - Fix Stored Cross-Site Scripting (XSS) in navigation tree > > (PMASA-2018-8, CVE-2018-19970) > > - Fix information leak (arbitrary file read) using SQL queries > > (PMASA-2019-1, CVE-2019-6799, Closes: #920823) > > - a specially crafted username can be used to trigger a SQL > > injection attack > > (PMASA-2019-2, CVE-2019-6798, Closes: #920822) > > - SQL injection in Designer feature > > (PMASA-2019-3, CVE-2019-11768, Closes: #930048) > > - CSRF vulnerability in login form > > (PMASA-2019-4, CVE-2019-12616, Closes: #930017) > > According to the BTS and Security Tracker, at least some of these issues > affect the package in unstable and aren't currently fixed there. Is that > correct? > > Regards, > > Adam > >
Bug#930048: phpmyadmin: PMASA-2019-03: CVE-2019-11768
I've already created a patch Have a look at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930017#12 and https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/6
Bug#930017: updated merge-request with patches for PMASA-2019-{3,4}
I updated the merge-request
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/6
with patches for stretch of the two new PMASA-2019-{3,4}
I also updated
https://salsa.debian.org/phpmyadmin-team/phpmyadmin/merge_requests/5
for jessie and PMASA-2019-4 (CVE-2019-12616)
PMASA-2019-3 (CVE-2019-11768) does not affect jessie. This bug came
with
https://github.com/phpmyadmin/phpmyadmin/commit/e04f56a04f506c1a0a884c81c209ae2ffbf80baf
in PhpMyAdmin 4.3.0alpha1
PMASA-2019-3 (CVE-2019-11768) does not yet have a debian-bug. how
should this be done? by the security-team via the security-tracker? can
I do this? how do i reference all the stuff?
BTW: Why is jessie mentioned in the security-tracker of this CVE but
not in this bug?
Bug#917755: phpmyadmin: FTBFS: PHP Fatal error: Uncaught Error: Class 'PHPUnit_Framework_TestCase' not found in /<>/test/PMATestCase.php:14
possible duplicate of #883417
Bug#776613: ITP: phpmemcachedadmin -- Graphic administration for memcached to monitor and debug.
Package: wnpp Severity: wishlist Owner: "Matthias Blümel" * Package name: phpmemcachedadmin Version : 1.2.2 Upstream Author : Cyrille Mahieux * URL : https://code.google.com/p/phpmemcacheadmin/ * License : Apache License 2.0 Programming Lang: PHP Description : Graphic administration for memcached to monitor and debug. This program allows one to see in real-time (top-like) or from the start of the server, stats for get, set, delete, increment, decrement, evictions, reclaimed, cas command, as well as server stats (network, items, server version) with googlecharts and server internal configuration You can go further to see each server slabs, occupation, memory wasted and items (key & value). Another part can execute commands to any memcached server : get, set, delete, flush_all, as well as execute any commands (like stats) with telnet To extract this information, phpMemcacheAdmin uses, as you wish, direct communication with server, PECL Memcache or PECL Memcached API. I made already a debian-package for the software and I will update it to mentors as soon as I get a bug-number. (https://github.com/krumedia/phpmemcachedadmin-debian) To build the package I used the package of phpmyadmin and parts of the corresponding fedora-package. We are using this Software in my company very often, so I am very sure, that this package will be tested and updated as soon as it is neccessary. Nevertheless I have a few questions: - The source-tar doesn’t have a subdirectory on the root. To get a orig.tar.gz I simply renamed it, is this correct, or should I repack it with the correct “debianized” directory structure. (I don’t think so, because there are no warnings/errors) - There are some files in the original tar which are unneccessarily marked as executable. Is there a “debian-way” to correct this? Maybe in rules#install? - I can’t find a ChangeLog in the original tar, but there is a website for this (http://blog.elijaa.org/index.php?pages/phpMemcachedAdmin-Release-Notes-and-Roadmap). Should I create a file by myself and add it somewhere in debian/? - The lighttp-configuration is untested, but that’s aside of correct po-files on my TODO-List -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
