Bug 162873

Summary: [maintainer] databases/phpmyadmin security update to 3.4.8-rc1
Product: Ports & Packages Reporter: Matthew Seaman <m.seaman>
Component: Individual Port(s)Assignee: Doug Barton <dougb>
Status: Closed FIXED    
Severity: Affects Only Me CC: secteam
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
phpmyadmin.diff none

Description Matthew Seaman 2011-11-25 08:30:18 UTC 
Security and bugfix update to 3.4.8-rc1

Announcement:

"Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix 
release with minor security corrections.

Please refer to the upcoming PMASA-2011-18 announcement on
http://www.phpmyadmin.net/home_page/security.

Details will appear on http://phpmyadmin.net. In a hurry? you can visit
http://sourceforge.net/projects/phpmyadmin to download.

Marc Delisle, for the team"

ChangeLog:

http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.4.8-rc1/phpMyAdmin-3.4.8-rc1-notes.html/download

Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix release 
with minor security corrections.

3.4.8.0 (not yet released)
- bug #3425230 [interface] enum data split at space char (more space to edit)
- bug #3426840 [interface] ENUM/SET editor can't handle commas in values
- bug #3427256 [interface] no links to browse/empty views and tables
- bug #3430377 [interface] Deleted search results remain visible
- bug #3428627 [import] ODS import ignores memory limits
- bug #3426836 [interface] Visual column separation
- bug #3428065 [parser] TRUE not recognized by parser
+ patch #3433770 [config] Make location of php-gettext configurable
- patch #3430291 [import] Handle conflicts in some open_basedir situations
- bug #3431427 [display] Dropdown results - setting NULL does not work
- patch #3428764 [edit] Inline edit on multi-server configuration
- patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
- [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
  view name in main panel db Structure page
- bug #3439292 [core] Fail to synchronize column with name of keyword
- bug #3425156 [interface] Add column after drop
- [interface] Avoid showing the password in phpinfo()'s output
- bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
- bug #3407235 [interface] Entering the key through a lookup window does not res
et NULL
- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
- [security] Self-XSS on column type (Create index), see PMASA-2011-18
- [security] Self-XSS on column type (table Search), see PMASA-2011-18
- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18

PMASA-2011-18 is not yet available from the phpmyadmin.net site.
Comment 1 Edwin Groothuis freebsd_committer freebsd_triage 2011-11-25 08:30:30 UTC 
Responsible Changed
From-To: freebsd-ports-bugs->dougb

dougb@ wants this port PRs (via the GNATS Auto Assign Tool)
Comment 2 dfilter service freebsd_committer freebsd_triage 2011-11-26 09:14:52 UTC 
dougb       2011-11-26 09:14:38 UTC

  FreeBSD ports repository

  Modified files:
    databases/phpmyadmin Makefile distinfo 
  Log:
  Security and bugfix update to 3.4.8-rc1
  
  Announcement:
  
  "Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix
  release with minor security corrections.
  
  Please refer to the upcoming PMASA-2011-18 announcement on
  http://www.phpmyadmin.net/home_page/security.
  
  Marc Delisle, for the team"
  
  Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix
  release with minor security corrections.
  
  3.4.8.0 (not yet released)
  - bug #3425230 [interface] enum data split at space char (more space to
    edit)
  - bug #3426840 [interface] ENUM/SET editor can't handle commas in values
  - bug #3427256 [interface] no links to browse/empty views and tables
  - bug #3430377 [interface] Deleted search results remain visible
  - bug #3428627 [import] ODS import ignores memory limits
  - bug #3426836 [interface] Visual column separation
  - bug #3428065 [parser] TRUE not recognized by parser
  + patch #3433770 [config] Make location of php-gettext configurable
  - patch #3430291 [import] Handle conflicts in some open_basedir situations
  - bug #3431427 [display] Dropdown results - setting NULL does not work
  - patch #3428764 [edit] Inline edit on multi-server configuration
  - patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
  - [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
    view name in main panel db Structure page
  - bug #3439292 [core] Fail to synchronize column with name of keyword
  - bug #3425156 [interface] Add column after drop
  - [interface] Avoid showing the password in phpinfo()'s output
  - bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
  - bug #3407235 [interface] Entering the key through a lookup window does not
    reset NULL
  - [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
  - [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
  - [security] Self-XSS on column type (Create index), see PMASA-2011-18
  - [security] Self-XSS on column type (table Search), see PMASA-2011-18
  - [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
  
  PR:             ports/162873
  Submitted by:   Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
  Feature safe:   yes
  
  Revision  Changes    Path
  1.148     +1 -1      ports/databases/phpmyadmin/Makefile
  1.124     +2 -2      ports/databases/phpmyadmin/distinfo
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Doug Barton freebsd_committer freebsd_triage 2011-11-26 09:14:55 UTC 
State Changed
From-To: open->closed


Committed, thanks!