Debian Bug report logs -
#335306
CVE-2005-3300: Local file inclusion vulnerability
Reported by: 4:2.6.2-3
Date: Sun, 23 Oct 2005 09:48:08 UTC
Severity: grave
Tags: fixed, sarge, security
Found in version phpmyadmin/4:2.6.2-3
Fixed in versions phpmyadmin/4:2.6.4-pl3-1, 4:2.6.2-3sarge1
Done: Thijs Kinkhorst <thijs@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Piotr Roszatycki <dexter@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Tags: security
Severity: grave
This one seems to be different from the vulnerability mentioned in
Debian bug #333433.
From: Stefan Esser <sesser@hardened-php.net>
Subject: [Full-disclosure] Advisory 16/2005: phpMyAdmin Local File Inclusion
Vulnerability
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Date: Sat, 22 Oct 2005 15:33:46 +0200
Message-ID: <20051022133346.GA7506@hardened-php.net>
Hardened-PHP Project
www.hardened-php.net
-= Security Advisory =-
Advisory: phpMyAdmin Local File Inclusion Vulnerability
Release Date: 2005/10/22
Last Modified: 2005/10/22
Author: Stefan Esser [sesser@hardened-php.net]
Application: phpMyAdmin <= 2.6.4-pl2
Severity: A design flaw within phpMyAdmin allows inclusion
of arbitrary files, which usually leads to remote
code execution
Risk: Critical
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_162005.73.html
[...]
Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>.
(full text, mbox, link).
Message #10 received at 335306@bugs.debian.org (full text, mbox, reply):
The CVE project has assigned the name CVE-2005-3300 to this
vulnerability. Please mention it in the changelog when uploading
fixed packages.
Reply sent to Piotr Roszatycki <dexter@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 335306-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.6.4-pl3-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.6.4-pl3-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.diff.gz
phpmyadmin_2.6.4-pl3-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.dsc
phpmyadmin_2.6.4-pl3-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1_all.deb
phpmyadmin_2.6.4-pl3.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 335306@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 24 Oct 2005 20:14:08 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl3-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description:
phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 335306 335513
Changes:
phpmyadmin (4:2.6.4-pl3-1) unstable; urgency=high
.
* New upstream release.
* Security fix: (1) Local file inclusion vulnerability and (2) Cross-Site
Scripting vulnerability.
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3300
See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3301
Closes: #335306, #335513.
* Assigned CVE number for 4:2.6.4-pl2-1 bug fix.
Files:
b76157341450a63bbcbbbfa833f0e970 646 web extra phpmyadmin_2.6.4-pl3-1.dsc
69cc488cb259a5b6f2bd83c95d1b94d2 2777834 web extra phpmyadmin_2.6.4-pl3.orig.tar.gz
9fcb9225e9ee4a0fe67960deef9366dd 30725 web extra phpmyadmin_2.6.4-pl3-1.diff.gz
3a0d95dba07006c4f6d89b0365bd6367 2923084 web extra phpmyadmin_2.6.4-pl3-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDXSrfhMHHe8CxClsRAudZAJ472YLaoGzJ9sT5pd787J4wutUfWQCg0SbX
jjJYiOWdfPwgoRzFV9hDOo0=
=m/Yg
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as found in version 4:2.6.2-3.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: sarge
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de>
Request was from Filipus Klutiero <ido@vif.com>
to control@bugs.debian.org.
(full text, mbox, link).
Bug reopened, originator set to 4:2.6.2-3.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to 4:2.6.2-3
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335306; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>.
(full text, mbox, link).
Message #34 received at 335306@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The patch for sarge, also fixes CVE-2005-3301 and CAN-2005-2869.
--
.''`. Piotr Roszatycki, Netia SA
: :' : mailto:Piotr_Roszatycki@netia.net.pl
`. `' mailto:dexter@debian.org
`-
[phpmyadmin_2.6.2-3sarge1.diff (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Tags added: fixed
Request was from Noah Meyerhans <noahm@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Tags added: fixed
Request was from Noah Meyerhans <noahm@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug marked as fixed in version 4:2.6.2-3sarge1, send any further explanations to 4:2.6.2-3
Request was from Thijs Kinkhorst <thijs@debian.org>
to control@bugs.debian.org.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 11:25:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:48:14 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon