Date: Thu, 1 Dec 2011 20:28:54 GMT From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/163001: [maintainer] databases/phpmyadmin -- update to 3.4.8 Message-ID: <201112012028.pB1KSsIo051304@lucid-nonsense.infracaninophile.co.uk> Resent-Message-ID: <201112012030.pB1KUHHn035021@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 163001
>Category: ports
>Synopsis: [maintainer] databases/phpmyadmin -- update to 3.4.8
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Thu Dec 01 20:30:17 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 8.2-STABLE amd64
>Organization:
Infracaninophile
>Environment:
System: FreeBSD lucid-nonsense.infracaninophile.co.uk 8.2-STABLE FreeBSD 8.2-STABLE #24 r227991: Sat Nov 26 13:33:22 GMT 2011 root@lucid-nonsense.infracaninophile.co.uk:/usr/obj/usr/src/sys/LUCID-NONSENSE amd64
>Description:
Update to version 3.4.8
This is the formal release of the fix to CVE-2011-4634, but there are
no code differences from the preliminary fixes released in 3.4.8-rc1
except for the updated version number.
PMSA-2011-18 has now been published; vuxml entry attached.
>How-To-Repeat:
>Fix:
--- phpmyadmin.diff begins here ---
Index: databases/phpmyadmin/Makefile
===================================================================
RCS file: /home/ncvs/ports/databases/phpmyadmin/Makefile,v
retrieving revision 1.148
diff -u -u -r1.148 Makefile
--- databases/phpmyadmin/Makefile 26 Nov 2011 09:14:38 -0000 1.148
+++ databases/phpmyadmin/Makefile 1 Dec 2011 20:17:59 -0000
@@ -6,7 +6,7 @@
#
PORTNAME= phpMyAdmin
-DISTVERSION= 3.4.8-rc1
+DISTVERSION= 3.4.8
CATEGORIES= databases www
MASTER_SITES= SF/${PORTNAME:L}/${PORTNAME}/${DISTVERSION}
DISTNAME= ${PORTNAME}-${DISTVERSION}-all-languages
Index: databases/phpmyadmin/distinfo
===================================================================
RCS file: /home/ncvs/ports/databases/phpmyadmin/distinfo,v
retrieving revision 1.124
diff -u -u -r1.124 distinfo
--- databases/phpmyadmin/distinfo 26 Nov 2011 09:14:38 -0000 1.124
+++ databases/phpmyadmin/distinfo 1 Dec 2011 20:17:59 -0000
@@ -1,2 +1,2 @@
-SHA256 (phpMyAdmin-3.4.8-rc1-all-languages.tar.bz2) = a460686e7d2f101a50fb19cb23d16ee56d995393bfebcdeb56880936e7b060c8
-SIZE (phpMyAdmin-3.4.8-rc1-all-languages.tar.bz2) = 4611013
+SHA256 (phpMyAdmin-3.4.8-all-languages.tar.bz2) = 792a53d1904feed2bba0a613680af86fb4ca2ee8e94ba65ef92043c5c2d90604
+SIZE (phpMyAdmin-3.4.8-all-languages.tar.bz2) = 4610153
Index: security/vuxml/vuln.xml
===================================================================
RCS file: /home/ncvs/ports/security/vuxml/vuln.xml,v
retrieving revision 1.2505
diff -u -u -r1.2505 vuln.xml
--- security/vuxml/vuln.xml 30 Nov 2011 09:31:35 -0000 1.2505
+++ security/vuxml/vuln.xml 1 Dec 2011 20:18:18 -0000
@@ -47,6 +47,38 @@
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">;
+ <vuln vid="ed536336-1c57-11e1-86f4-e0cb4e266481">
+ <topic>phpMyAdmin -- Multiple XSS</topic>
+ <affects>
+ <package>
+ <name>phpMyAdmin</name>
+ <range><gt>3.4</gt><lt>3.4.8.r1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">;
+ <p>The phpMyAdmin development team reports:</p>
+ <blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php">;
+ <p>Using crafted database names, it was possible to produce
+ XSS in the Database Synchronize and Database rename
+ panels. Using an invalid and crafted SQL query, it was
+ possible to produce XSS when editing a query on a table
+ overview panel or when using the view creation dialog. Using
+ a crafted column type, it was possible to produce XSS in the
+ table search and create index dialogs.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php</url>;
+ <cvename>CVE-2011-4634</cvename>
+ </references>
+ <dates>
+ <discovery>2011-11-24</discovery>
+ <entry>2011-12-01</entry>
+ </dates>
+ </vuln>
+
<vuln vid="eef56761-11eb-11e1-bb94-001c140104d4">
<topic>hiawatha -- memory leak in PreventSQLi routine</topic>
<affects>
--- phpmyadmin.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201112012028.pB1KSsIo051304>