Your message dated Sun, 10 Nov 2019 15:38:18 +0000 with message-id <e1itpia-0008om...@fasolo.debian.org> and subject line Bug#920823: fixed in phpmyadmin 4:4.9.1+dfsg1-2 has caused the Debian Bug report #920823, regarding phpmyadmin: CVE-2019-6799: PMASA-2019-1 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 920823: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920823 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: phpmyadmin Version: 4:4.6.6-5 Severity: grave Tags: security upstream Control: found -1 4:4.6.6-4 Hi, The following vulnerability was published for phpmyadmin. CVE-2019-6799[0]: | An issue was discovered in phpMyAdmin before 4.8.5. When the | AllowArbitraryServer configuration setting is set to true, with the use | of a rogue MySQL server, an attacker can read any file on the server | that the web server's user can access. This is related to the | mysql.allow_local_infile PHP configuration, and the inadvertent | ignoring of "options(MYSQLI_OPT_LOCAL_INFILE" calls. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-6799 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-6799 [1] https://www.phpmyadmin.net/security/PMASA-2019-1/ Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: phpmyadmin Source-Version: 4:4.9.1+dfsg1-2 We believe that the bug you reported is fixed in the latest version of phpmyadmin, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 920...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Matthias Blümel <deb...@blaimi.de> (supplier of updated phpmyadmin package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Fri, 01 Nov 2019 19:33:40 +0100 Source: phpmyadmin Architecture: source Version: 4:4.9.1+dfsg1-2 Distribution: unstable Urgency: medium Maintainer: phpMyAdmin Packaging Team <team+phpmyad...@tracker.debian.org> Changed-By: Matthias Blümel <deb...@blaimi.de> Closes: 772741 883417 884827 890595 893539 896490 914673 917755 920822 920823 930017 930048 943209 Changes: phpmyadmin (4:4.9.1+dfsg1-2) unstable; urgency=medium . * Adjust open_basedir setting for ubuntu eoan . phpmyadmin (4:4.9.1+dfsg1-1) unstable; urgency=medium . * New upstream version 4.9.1. * Remove webbased setup (Closes: #772741) * Check for weak blowfish key and regenerate if necessary during update * fix avahi service-installation (Closes: #914673, LP: #1293558) * fix bug in sql-script for non-default tablename (Closes: #884827) . phpmyadmin (4:4.9.0.1+dfsg1-1) unstable; urgency=medium . [ Matthias Blümel ] * New upstream version 4.9.0.1. * Update Package for new composer-oriented structure in upstream * Update Traslations - Catalan - Ukrainian - Chinese (Traditional) * New Translations - Romanian - Indonesian * New upstream release, fixing several security issues: - Warings when running under php 7.2 (Closes: #890595) - FTBFS with phpunit 6.4.4-2 (Closes: #883417, Closes: #917755) - Bypass $cfg['Servers'][$i]['AllowNoPassword'] (PMASA-2017-8, CVE-2017-18264) - XSRF/CSRF vulnerability in phpMyAdmin (PMASA-2017-9, CVE-2017-1000499) - Self XSS in central columns feature (PMASA-2018-1, CVE-2018-7260, Closes: #893539) - CSRF vulnerability allowing arbitrary SQL execution (PMASA-2018-2, CVE-2018-10188, Closes: #896490) - XSS in Designer feature (PMASA-2018-3, CVE-2018-12581) - Bug that can be used for XSS when importing files - Local file inclusion (PMASA-2018-6, CVE-2018-19968) - XSRF/CSRF vulnerabilities allowing a to perform harmful operations (PMASA-2018-7, CVE-2018-19969) - an XSS vulnerability in the navigation tree (PMASA-2018-8, CVE-2018-19970) - Arbitrary file read vulnerability (PMASA-2019-1, CVE-2019-6799, Closes: #920823) - SQL injection in the Designer interface (PMASA-2019-2, CVE-2019-6798, Closes: #920822) - SQL injection in Designer feature (PMASA-2019-3, CVE-2019-11768, Closes: #930048)) - CSRF vulnerability in login form (PMASA-2019-4, CVE-2019-12616, Closes: #930017) * patch to allow twig in version 2 * adjust autoload path with libapache2-mod-php, load Twig-Extensions and tcpdf * adjust apache-config with open_basedir for dependencies * Set TempDir to /var/lib/phpmyadmin/tmp for twig-cache * add config-table upgrade for version 4.7.0+ * enable unittests and patch to use phpunit 7, fix build-deps * update to standards-version 4.3.0 * add Debian CI testfile * depend on python3-sphinx instead of python-sphinx which is python2 (Closes: #943209) * don't chown tmp-dir recursive and remove useless entries in 'dirs' * add sensible-utils to dependencies for .desktop-file * simplify apache-config * mbstring.func_overload = 0 is default and not set (/etc/php/7.3/apache2/php.ini) * SetHandler is now in the configuration of libapache2-mod-php (/etc/apache2/mods-available/php7.3.conf) * AddType seems not to be necessary anymore, it's in the mime-database (/etc/mime.types) * use autoload.php instead of vendor/autoload.php * use libjs-openlayers instead of bundled ones. * include copyright information from included vendor-source * cleanup lintian overrides . [ Felipe Sateler ] * Exclude vendor dir from upstream tarball imports * Add new build-dependencies * Add autoload generation * Fix Config file location * Add phpcomposer substvars to control file * Fix js paths in debian/rules * Set phpMyAdmin team as Maintainer . [ Juri Grabowski ] * define composer as Build-Depends, Fix Vcs- URLs * apache2.2-common -> apache2-data Checksums-Sha1: db30c657beb422cfcab4ae2f0504a46a33fc07c1 2700 phpmyadmin_4.9.1+dfsg1-2.dsc faaeaa981f613b23d4f9afc2c5b343fcad84b3f2 94188 phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz 07d1363135b7f0255407f6af5355126276b02186 11322440 phpmyadmin_4.9.1+dfsg1.orig.tar.xz Checksums-Sha256: a205fa69ec52834e772ebd619203fad6a46ff1bdc9865c28142935d24186dc7a 2700 phpmyadmin_4.9.1+dfsg1-2.dsc d6877f4ca7a9ea49bdb8608f16342207c4703a0db68fd607a4fa41dfa9294a42 94188 phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz 5774cd30ffd4d3369a3083d7e04ef60a651647fd4da749cb53285fa0fb16459a 11322440 phpmyadmin_4.9.1+dfsg1.orig.tar.xz Files: bc93c0fec95473d080304848d649c6d1 2700 web optional phpmyadmin_4.9.1+dfsg1-2.dsc f440b671f55d71f64b648761af63ff51 94188 web optional phpmyadmin_4.9.1+dfsg1-2.debian.tar.xz 76668ca2166ce668cf4915338be16d4d 11322440 web optional phpmyadmin_4.9.1+dfsg1.orig.tar.xz -----BEGIN PGP SIGNATURE----- iQJIBAEBCAAyFiEEIY7gNiAzyHtsE1+ko7q64kCN1s8FAl3IJCwUHGZzYXRlbGVy QGRlYmlhbi5vcmcACgkQo7q64kCN1s8OARAAmCGEXxYkXJh02TWnbISOxqm8KL/1 DVOHbAuJtYemnLVlBNr5glPh7Ttx+N/ZiLbgNpJwxqEvTxKO2w3erpoW9vd4ICW7 8rZOpLh5hJW54fAHz4kdYiYuN0B2pvaZ/iqCLTt9DjBHZHDJud7nUFPciFMUoigb nFjp7yH1aBM50m4bNkvh2wDn740/SUOcaO+va4mMc43o15YqWerwrxEvfgvwrgnM znzaGrkwYL1KGi6MGrBufAIzxABWCgmFGFq4B/fNliG/XxDcGj4OxpoUs4H/mw88 /G0aWYWq4Eajq1Vi+k2HqEjnEJpHIQBd6ykSDKDctInzlEfy3ot8/p6MrWjIpEfg VMvyGOwg6Ya7FiV5YxVXxcN/5Ly4S8R58Tz66W/Dz6uWMcMQFSnKaiIlr8woFBDf D9z1j8HFRv4r1ha1h3gY6rJtKBfkYENRMSd7JgsKk6iahzJpJWYksE+SusYWw08W XOC2DOiAnGFaND0CXNq67tvs+G8pwv87yxACemY29WUwjle/0N6yJ3Exf2K4RvhC EC4H7wcY74LfTro2xtnzIE7KRc0iG8e5yFylJjdT2OqYutTwBBibcod+An/D1n7u wncfVkHD0AEB0NDU31L7Yn2p03a+upaD5ErgOKNJ0r66Rd8KfIYC2s5ouwSvV1G2 8thkti3V7G1FT0w= =k+MP -----END PGP SIGNATURE-----
--- End Message ---
