Debian Bug report logs -
#363519
phpmyadmin: CVE-2006-1803/CVE-2006-1804 "sql_query" Cross-Site Scripting and SQL Code Execution
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Wed, 19 Apr 2006 15:18:25 UTC
Severity: important
Tags: security
Fixed in version phpmyadmin/4:2.8.1-1
Done: Piotr Roszatycki <dexter@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>:
Bug#363519; Package phpmyadmin.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Severity: important
Tags: security
CVE-2006-1803:
Cross-site scripting (XSS) vulnerability in sql.php in phpMyAdmin
2.7.0-pl1 allows remote attackers to inject arbitrary web script or
HTML via the sql_query parameter.
CVE-2006-1804 seems to be a duplicate of this.
http://www.frsirt.com/english/advisories/2006/1372 implies that
this also affects 2.8.0.3
Tags added: pending
Request was from Piotr Roszatycki <dexter@n1.pl>
to control@bugs.debian.org.
(full text, mbox, link).
Reply sent to Piotr Roszatycki <dexter@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer.
(full text, mbox, link).
Message #12 received at 363519-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.8.1-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.8.1-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.8.1-1.diff.gz
phpmyadmin_2.8.1-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.8.1-1.dsc
phpmyadmin_2.8.1-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.8.1-1_all.deb
phpmyadmin_2.8.1.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.8.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 363519@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 25 Jun 2006 18:10:23 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.8.1-1
Distribution: unstable
Urgency: medium
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description:
phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 362154 363519 363597 364702 367146 368082 373204
Changes:
phpmyadmin (4:2.8.1-1) unstable; urgency=medium
.
* New upstream release. Closes: #373204.
- The French translation is correct. Closes: #362154.
- Generates correct dumps with UPDATE syntax. Closes: #364702.
* Security fix: XSRF vulnerability.
See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-3
See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1804
* Security fix: XSS vulnerabilities. It was not a problem for Debian with
the default settings.
See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-2
See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2031
Closes: #363519, #368082.
* Updated Portuguese debconf templates translation, thanks Miguel Figueiredo.
Closes: #363597.
* Updated Russian debconf templates translation, thanks Yuriy Talakan.
Closes: #367146.
* Convert non-ISO-8859-1 debconf templates translation to UTF-8.
Files:
dfe2c86bc5a1be2aee401c84ec3a4282 634 web extra phpmyadmin_2.8.1-1.dsc
18104bccba01ff6618ed22a710019edf 3455447 web extra phpmyadmin_2.8.1.orig.tar.gz
da8c395e567ff78e77eac80d0b3c755d 38949 web extra phpmyadmin_2.8.1-1.diff.gz
4d6c6753a3a1d3906de7598a168e1ab2 3627512 web extra phpmyadmin_2.8.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEn6fghMHHe8CxClsRAoSLAJ9enUFWHp2wyp2wPPRlhd8n1rSLNQCgpZQQ
6niAqcbAjZL+Ri9di7AJo7s=
=LYX/
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 24 Jun 2007 19:23:55 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:36:44 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon