phpmyadmin: Possible directory traversal vulnerability

Debian Bug report logs - #333433
phpmyadmin: Possible directory traversal vulnerability

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Daniel Leidert <daniel.leidert.spam@gmx.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: phpmyadmin: Possible directory traversal vulnerability

Date: Tue, 11 Oct 2005 23:53:29 +0200

Package: phpmyadmin
Version: 4:2.6.4-pl1-2
Severity: important
Tags: security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please read http://securityreason.com/securityalert/69 or
http://sourceforge.net/tracker/index.php?func=detail&aid=1322871&group_id=23067&atid=377408.

Regards, Daniel

- -- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (500, 'oldstable'), (110, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.09050927
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)

Versions of packages phpmyadmin depends on:
ii  apache [httpd]                1.3.33-8   versatile, high-performance HTTP s
ii  debconf [debconf-2.0]         1.4.58     Debian configuration management sy
ii  php4                          4:4.4.0-3  server-side, HTML-embedded scripti
ii  php4-cgi                      4:4.4.0-3  server-side, HTML-embedded scripti
ii  php4-mysql                    4:4.4.0-3  MySQL module for php4
ii  ucf                           2.002      Update Configuration File: preserv

Versions of packages phpmyadmin recommends:
pn  php4-mcrypt | php5-mcrypt     <none>     (no description available)

- -- debconf information excluded

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDTDRZdg0kG0+YFBERApTbAJ9GJsypx3ISEG/pdDsGEDVPpCOlUwCdGVcm
yEvi8GYAiVZcXhCQ5SFzcOE=
=UdXN
-----END PGP SIGNATURE-----

Message #10 received at 333433@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: 333433@bugs.debian.org

Subject: Re: phpmyadmin: Possible directory traversal vulnerability

Date: Wed, 12 Oct 2005 15:47:08 +0200

[Message part 1 (text/plain, inline)]

The patch for sarge's version.
-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

[phpmyadmin_2.6.2-3sarge1.diff (text/x-diff, attachment)]

Message #15 received at 333433-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <dexter@debian.org>

To: 333433-close@bugs.debian.org

Subject: Bug#333433: fixed in phpmyadmin 4:2.6.4-pl2-1

Date: Wed, 12 Oct 2005 06:47:16 -0700

Source: phpmyadmin
Source-Version: 4:2.6.4-pl2-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.6.4-pl2-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1.diff.gz
phpmyadmin_2.6.4-pl2-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1.dsc
phpmyadmin_2.6.4-pl2-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1_all.deb
phpmyadmin_2.6.4-pl2.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 333433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 12 Oct 2005 15:07:42 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl2-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 333433
Changes: 
 phpmyadmin (4:2.6.4-pl2-1) unstable; urgency=high
 .
   * New upstream release.
   * Security fix: local file inclusion vulnerability.
     See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4
     Closes: #333433.
Files: 
 3f06d8d8ba0a27e6ae8153af42ddb612 646 web extra phpmyadmin_2.6.4-pl2-1.dsc
 17339cb347ba57892d9895370fd399f1 2774954 web extra phpmyadmin_2.6.4-pl2.orig.tar.gz
 6a0fbb3494e3a9bdf097fc324675c046 30592 web extra phpmyadmin_2.6.4-pl2-1.diff.gz
 96d3042878a6f2f31cbb6cd6f998847a 2922550 web extra phpmyadmin_2.6.4-pl2-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDTQ6WhMHHe8CxClsRAmqmAJ0dx7krclMx6v05yST3qYaKx3sRWQCeJQvB
tMffb+YCSKM/SnznUdk1qL8=
=3T1+
-----END PGP SIGNATURE-----

Message #26 received at 333433@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 333433@bugs.debian.org

Subject: CVE assignment for phpmyadmin file inclusion issue

Date: Mon, 24 Oct 2005 11:22:29 +0200

The CVE project has assigned the name CVE-2005-3299 to this
vulnerability.  Please mention it in the changelog when uploading
fixed packages.

Message #35 received at 333433-close@bugs.debian.org (full text, mbox, reply):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>

To: 333433-close@bugs.debian.org, control@bugs.debian.org

Subject: Re: phpmyadmin: Possible directory traversal vulnerability

Date: Mon, 24 Oct 2005 21:16:26 +0200

notfound 333433 4:2.6.2-3
notfound 333433 4:2.6.4-pl2-1
thanks

Sarge and Sid versions are unaffected.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-

Send a report that this bug log contains spam.