Bug#535890: marked as done (phpmyadmin: remote code injection via xss vulnerability)

Mon, 06 Jul 2009 14:09:42 -0700 

Your message dated Mon, 6 Jul 2009 23:02:46 +0200
with message-id <200907062302.47824.th...@debian.org>
and subject line Re: Bug#535890: phpmyadmin: remote code injection via xss 
vulnerability
has caused the Debian Bug report #535890,
regarding phpmyadmin: remote code injection via xss vulnerability
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
535890: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535890
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: phpmyadmin
Version: 4:2.9.1.1-10
Severity: serious
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for phpmyadmin.

CVE-2009-2284[0]:
| Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
| allows remote attackers to inject arbitrary web script or HTML via a
| crafted SQL bookmark.

This is fixed in unstable.  Please coordinate with the security team to
prepare updates for the stable releases.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

For further information see:

[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2284
    http://security-tracker.debian.net/tracker/CVE-2009-2284

--- End Message ---
--- Begin Message --- 
On snein 5 July 2009, Michael S. Gilbert wrote:
> the following CVE (Common Vulnerabilities & Exposures) id was
> published for phpmyadmin.
>
> CVE-2009-2284[0]:
> | Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1
> | allows remote attackers to inject arbitrary web script or HTML via a
> | crafted SQL bookmark.
>
> This is fixed in unstable.  Please coordinate with the security team to
> prepare updates for the stable releases.

Thanks. Code review and testing turns out that this bug was in code that was 
introduced in the 3.x series, so oldstable and stable are not affected by 
this. This bug can hence be closed.


cheers,
Thijs

Attachment: signature.asc
Description: This is a digitally signed message part.


--- End Message ---

Reply via email to