-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Thu, 24 Apr 2008 20:00:49 +0200 Source: phpmyadmin Binary: phpmyadmin Architecture: source all Version: 4:2.9.1.1-7 Distribution: stable-security Urgency: high Maintainer: Thijs Kinkhorst <thijs@debian.org> Changed-By: Thijs Kinkhorst <thijs@debian.org> Description: phpmyadmin - Administrate MySQL over the WWW Changes: phpmyadmin (4:2.9.1.1-7) stable-security; urgency=high . * Update for etch to address a security issue. * Attackers with CREATE table permissions were allowed to read arbitrary files via a crafted HTTP POST request, related to use of an undefined UploadDir variable. [PMASA-2008-3, CVE-2008-1924] * Stores the MySQL (1) username and (2) password, and the (3) Blowfish secret key, in cleartext in a Session file under /tmp, which allows local users to obtain sensitive information. [PMASA-2008-2, CVE-2008-1567] * phpMyAdmin accesses $_REQUEST to obtain some parameters instead of $_GET and $_POST, which allows attackers in the same domain to override certain variables and conduct SQL injection and Cross Site Request Forgery (CSRF) attacks by using crafed cookies. [PMASA-2008-1, CVE-2008-1149] Files: 77cb879dd53d50993ed441020edc83f1 1011 web extra phpmyadmin_2.9.1.1-7.dsc 74178c3262500623fc8dfc1446539c91 50986 web extra phpmyadmin_2.9.1.1-7.diff.gz b10e8b52f3b9941d383dff78e545e322 3606694 web extra phpmyadmin_2.9.1.1-7_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQEVAwUBSBDNWGz0hbPcukPfAQKZlAf8DlXmAlJeR1nOGh0wgTH3vY6SPM4JV9n8 jZdBNrnnVy7jD4TeQPdYmoEGueJdmhE5kqWJXlmTRR43MZ5ff+jepSMV26uk5akT lxiBQOP6b2vJK6N6foFUO8xFIiTBlMp7NYfQjdBwcM/qa2HHtCwSq3pJnqsQ0w3x xzimt/MhcJucvN5itxizLbJ4HbTKtwGN9pR2HyCV7tcUqDPdMUBvHt8Jh1065XID MB/5V43si/Ceg2uGK1xIpk4QAuY7aAWjhpsUMiICJK0JwMdBPS+se1hv74xAGSbp gGVdet38Zwr4StWOrCS5+m/SzMvE2NcpeWohXtPnKoyrR+9/G204lA== =CXcj -----END PGP SIGNATURE----- Accepted: phpmyadmin_2.9.1.1-7.diff.gz to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-7.diff.gz phpmyadmin_2.9.1.1-7.dsc to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-7.dsc phpmyadmin_2.9.1.1-7_all.deb to pool/main/p/phpmyadmin/phpmyadmin_2.9.1.1-7_all.deb