Debian Bug report logs -
#333433
phpmyadmin: Possible directory traversal vulnerability
Reported by: Daniel Leidert <daniel.leidert@wgdd.de>
Date: Tue, 11 Oct 2005 22:03:04 UTC
Severity: important
Tags: security
Found in version phpmyadmin/4:2.6.4-pl1-2
Done: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>
:
Bug#333433
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Daniel Leidert <daniel.leidert.spam@gmx.net>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Piotr Roszatycki <dexter@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: phpmyadmin
Version: 4:2.6.4-pl1-2
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Please read http://securityreason.com/securityalert/69 or
http://sourceforge.net/tracker/index.php?func=detail&aid=1322871&group_id=23067&atid=377408.
Regards, Daniel
- -- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (850, 'unstable'), (700, 'testing'), (550, 'stable'), (500, 'oldstable'), (110, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.12.09050927
Locale: LANG=de_DE, LC_CTYPE=de_DE (charmap=ISO-8859-1)
Versions of packages phpmyadmin depends on:
ii apache [httpd] 1.3.33-8 versatile, high-performance HTTP s
ii debconf [debconf-2.0] 1.4.58 Debian configuration management sy
ii php4 4:4.4.0-3 server-side, HTML-embedded scripti
ii php4-cgi 4:4.4.0-3 server-side, HTML-embedded scripti
ii php4-mysql 4:4.4.0-3 MySQL module for php4
ii ucf 2.002 Update Configuration File: preserv
Versions of packages phpmyadmin recommends:
pn php4-mcrypt | php5-mcrypt <none> (no description available)
- -- debconf information excluded
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDTDRZdg0kG0+YFBERApTbAJ9GJsypx3ISEG/pdDsGEDVPpCOlUwCdGVcm
yEvi8GYAiVZcXhCQ5SFzcOE=
=UdXN
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>
:
Bug#333433
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>
.
(full text, mbox, link).
Message #10 received at 333433@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
The patch for sarge's version.
--
.''`. Piotr Roszatycki, Netia SA
: :' : mailto:Piotr_Roszatycki@netia.net.pl
`. `' mailto:dexter@debian.org
`-
[phpmyadmin_2.6.2-3sarge1.diff (text/x-diff, attachment)]
Reply sent to Piotr Roszatycki <dexter@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Leidert <daniel.leidert.spam@gmx.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #15 received at 333433-close@bugs.debian.org (full text, mbox, reply):
Source: phpmyadmin
Source-Version: 4:2.6.4-pl2-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.6.4-pl2-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1.diff.gz
phpmyadmin_2.6.4-pl2-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1.dsc
phpmyadmin_2.6.4-pl2-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2-1_all.deb
phpmyadmin_2.6.4-pl2.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 333433@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 12 Oct 2005 15:07:42 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl2-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description:
phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 333433
Changes:
phpmyadmin (4:2.6.4-pl2-1) unstable; urgency=high
.
* New upstream release.
* Security fix: local file inclusion vulnerability.
See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4
Closes: #333433.
Files:
3f06d8d8ba0a27e6ae8153af42ddb612 646 web extra phpmyadmin_2.6.4-pl2-1.dsc
17339cb347ba57892d9895370fd399f1 2774954 web extra phpmyadmin_2.6.4-pl2.orig.tar.gz
6a0fbb3494e3a9bdf097fc324675c046 30592 web extra phpmyadmin_2.6.4-pl2-1.diff.gz
96d3042878a6f2f31cbb6cd6f998847a 2922550 web extra phpmyadmin_2.6.4-pl2-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDTQ6WhMHHe8CxClsRAmqmAJ0dx7krclMx6v05yST3qYaKx3sRWQCeJQvB
tMffb+YCSKM/SnznUdk1qL8=
=3T1+
-----END PGP SIGNATURE-----
Bug reopened, originator not changed.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as found in version 4:2.6.2-3.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as not found in version 4:2.6.4-pl2-1.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>
:
Bug#333433
; Package phpmyadmin
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>
.
(full text, mbox, link).
Message #26 received at 333433@bugs.debian.org (full text, mbox, reply):
The CVE project has assigned the name CVE-2005-3299 to this
vulnerability. Please mention it in the changelog when uploading
fixed packages.
Bug marked as not found in version 4:2.6.2-3.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug marked as not found in version 4:2.6.4-pl2-1.
Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Daniel Leidert <daniel.leidert.spam@gmx.net>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #35 received at 333433-close@bugs.debian.org (full text, mbox, reply):
notfound 333433 4:2.6.2-3
notfound 333433 4:2.6.4-pl2-1
thanks
Sarge and Sid versions are unaffected.
--
.''`. Piotr Roszatycki, Netia SA
: :' : mailto:Piotr_Roszatycki@netia.net.pl
`. `' mailto:dexter@debian.org
`-
Changed Bug submitter from Daniel Leidert <daniel.leidert.spam@gmx.net> to Daniel Leidert <daniel.leidert@wgdd.de>.
Request was from Daniel Leidert <daniel.leidert@wgdd.de>
to control@bugs.debian.org
.
(Sat, 24 Mar 2007 23:52:22 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 17 Jun 2007 23:52:09 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:59:16 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.