Debian Bug report logs -
#524804
phpmyadmin: insufficient output sanitizing
Reported by: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Date: Mon, 20 Apr 2009 01:57:01 UTC
Severity: important
Tags: security
Fixed in version 4:3.1.3.2-1
Done: "Thijs Kinkhorst" <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#524804
; Package phpmyadmin
.
(Mon, 20 Apr 2009 01:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
New Bug report received and forwarded. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Mon, 20 Apr 2009 01:57:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
package: phpmyadmin
severity: important
tags: security
hello,
fedora issued a security update for myphpadmin [0]:
Improvements for 3.1.3.2: - [security] Insufficient output sanitizing
when generating configuration file
http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php
does this problem affect debian and should it be tracked as a security
issue? thanks.
[0] https://admin.fedoraproject.org/updates/F10/FEDORA-2009-3700
Information forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#524804
; Package phpmyadmin
.
(Mon, 20 Apr 2009 04:18:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Mon, 20 Apr 2009 04:18:02 GMT) (full text, mbox, link).
Message #10 received at 524804@bugs.debian.org (full text, mbox, reply):
i was looking at the link as provided in redhat's announcement. this
seems to be CVE-2009-1285, which debian is already tracking as
unimportant. however, the phpmyadmin page considers the issue to be
critical. perhaps the debian severity is too low?
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#524804
; Package phpmyadmin
.
(Mon, 20 Apr 2009 07:42:30 GMT) (full text, mbox, link).
Acknowledgement sent
to Michal Čihař <nijel@debian.org>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Mon, 20 Apr 2009 07:42:30 GMT) (full text, mbox, link).
Message #15 received at 524804@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi
Dne Mon, 20 Apr 2009 00:15:04 -0400
"Michael S. Gilbert" <michael.s.gilbert@gmail.com> napsal(a):
> i was looking at the link as provided in redhat's announcement. this
> seems to be CVE-2009-1285, which debian is already tracking as
> unimportant. however, the phpmyadmin page considers the issue to be
> critical. perhaps the debian severity is too low?
The difference might be in fact that Debian package protects setup
script by htpasswd on installation.
(But I'm not in security team to know real cause of this severity.)
--
Michal Čihař | http://cihar.com | http://blog.cihar.com
[signature.asc (application/pgp-signature, attachment)]
Reply sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
You have taken responsibility.
(Mon, 20 Apr 2009 11:01:03 GMT) (full text, mbox, link).
Notification sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Bug acknowledged by developer.
(Mon, 20 Apr 2009 11:01:35 GMT) (full text, mbox, link).
Message #20 received at 524804-done@bugs.debian.org (full text, mbox, reply):
Version: 4:3.1.3.2-1
On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> i was looking at the link as provided in redhat's announcement. this
> seems to be CVE-2009-1285, which debian is already tracking as
> unimportant. however, the phpmyadmin page considers the issue to be
> critical. perhaps the debian severity is too low?
This is because Debian by default protects the setup.php page with a
htaccess-style login and the config file is not writable, thus making the
vulnerability hard to exploit. I commented this reasoning in my commit
message to the tracker.
As you can also find in the security tracker:
http://security-tracker.debian.net/tracker/CVE-2009-1285
all affected suites (squeeze/sid) are already updated with the new
version. Therefore we can close this bug.
I appreciate your effort in filing security bugs, but it helps to cross
reference them to the security tracker before so we prevent unnecessary
filings.
thanks,
Thijs
Information forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#524804
; Package phpmyadmin
.
(Mon, 20 Apr 2009 13:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Mon, 20 Apr 2009 13:54:03 GMT) (full text, mbox, link).
Message #25 received at 524804@bugs.debian.org (full text, mbox, reply):
On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
> > i was looking at the link as provided in redhat's announcement. this
> > seems to be CVE-2009-1285, which debian is already tracking as
> > unimportant. however, the phpmyadmin page considers the issue to be
> > critical. perhaps the debian severity is too low?
>
> This is because Debian by default protects the setup.php page with a
> htaccess-style login and the config file is not writable, thus making the
> vulnerability hard to exploit. I commented this reasoning in my commit
> message to the tracker.
wouldn't it be better to do this with a 'NOTE' since that is
permanently associated with the CVE number? i would have certainly
noticed the justification if that was the case.
> As you can also find in the security tracker:
> http://security-tracker.debian.net/tracker/CVE-2009-1285
> all affected suites (squeeze/sid) are already updated with the new
> version. Therefore we can close this bug.
>
> I appreciate your effort in filing security bugs, but it helps to cross
> reference them to the security tracker before so we prevent unnecessary
> filings.
i had mistakenly missed the CVE number when i first reviewed the
issue. i appologize for the mistake.
Information forwarded
to debian-bugs-dist@lists.debian.org, Thijs Kinkhorst <thijs@debian.org>
:
Bug#524804
; Package phpmyadmin
.
(Mon, 20 Apr 2009 14:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to "Thijs Kinkhorst" <thijs@debian.org>
:
Extra info received and forwarded to list. Copy sent to Thijs Kinkhorst <thijs@debian.org>
.
(Mon, 20 Apr 2009 14:03:02 GMT) (full text, mbox, link).
Message #30 received at 524804@bugs.debian.org (full text, mbox, reply):
On Mon, April 20, 2009 15:53, Michael S. Gilbert wrote:
> On Mon, 20 Apr 2009 12:52:28 +0200, Thijs Kinkhorst wrote:
>
>> On Mon, April 20, 2009 06:15, Michael S. Gilbert wrote:
>>
>>> i was looking at the link as provided in redhat's announcement. this
>>> seems to be CVE-2009-1285, which debian is already tracking as
>>> unimportant. however, the phpmyadmin page considers the issue to be
>>> critical. perhaps the debian severity is too low?
>>
>> This is because Debian by default protects the setup.php page with a
>> htaccess-style login and the config file is not writable, thus making
>> the vulnerability hard to exploit. I commented this reasoning in my
>> commit message to the tracker.
>
> wouldn't it be better to do this with a 'NOTE' since that is permanently
> associated with the CVE number? i would have certainly noticed the
> justification if that was the case.
Yes, that's probably better. I'll try to remember.
cheers,
Thijs
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 19 May 2009 07:26:00 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:08:12 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.