Your message dated Thu, 30 Dec 2010 17:02:47 +0000
with message-id <e1pyltn-0001df...@franck.debian.org>
and subject line Bug#608290: fixed in phpmyadmin 4:3.3.7-3
has caused the Debian Bug report #608290,
regarding CVE-2010-4480 CVE-2010-4481
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
608290: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608290
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: phpmyadmin
Severity: serious
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
the following CVE (Common Vulnerabilities & Exposures) ids were
published for phpmyadmin.
CVE-2010-4480[0]:
| error.php in PhpMyAdmin 3.3.8.1, and other versions before
| 3.4.0-beta1, allows remote attackers to conduct cross-site scripting
| (XSS) attacks via a crafted BBcode tag containing "@" characters, as
| demonstrated using "[...@url@page]".
CVE-2010-4481[1]:
| phpMyAdmin before 3.4.0-beta1 allows remote attackers to bypass
| authentication and obtain sensitive information via a direct request
| to phpinfo.php, which calls the phpinfo function.
If you fix the vulnerabilities please also make sure to include the
CVE ids in your changelog entry.
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4480
http://security-tracker.debian.org/tracker/CVE-2010-4480
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4481
http://security-tracker.debian.org/tracker/CVE-2010-4481
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0bdHwACgkQNxpp46476aofUACfaJ8qZk9hruUgU4JuL5t+oDW7
nVkAn2VBTXIrA3x0z85C7DUdLnRo/fkj
=pVQM
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: phpmyadmin
Source-Version: 4:3.3.7-3
We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:
phpmyadmin_3.3.7-3.debian.tar.gz
to main/p/phpmyadmin/phpmyadmin_3.3.7-3.debian.tar.gz
phpmyadmin_3.3.7-3.dsc
to main/p/phpmyadmin/phpmyadmin_3.3.7-3.dsc
phpmyadmin_3.3.7-3_all.deb
to main/p/phpmyadmin/phpmyadmin_3.3.7-3_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 608...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thijs Kinkhorst <th...@debian.org> (supplier of updated phpmyadmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 30 Dec 2010 17:48:08 +0100
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:3.3.7-3
Distribution: unstable
Urgency: high
Maintainer: Thijs Kinkhorst <th...@debian.org>
Changed-By: Thijs Kinkhorst <th...@debian.org>
Description:
phpmyadmin - MySQL web administration tool
Closes: 608290
Changes:
phpmyadmin (4:3.3.7-3) unstable; urgency=high
.
* Address two security issues (Closes: #608290):
- It was possible to display arbitrary text and link to external site
using parameters passed to particular script
(CVE-2010-4480, PMASA-2010-9).
- Phpinfo could be visible to not logged in users if this feature was
enabled (minor issue; CVE-2010-4481, PMASA-2010-10).
Checksums-Sha1:
fb328acd589fde6e1cebccc9082bd23318fcadbe 1517 phpmyadmin_3.3.7-3.dsc
fd42a4e669db8fedeab8bf47d8e2ab94c6e352c7 47501 phpmyadmin_3.3.7-3.debian.tar.gz
c343ea2bb9b6b5170ffb9f04576077286481d737 4352748 phpmyadmin_3.3.7-3_all.deb
Checksums-Sha256:
e16434a5886ba312b5b137bb69e37a39f9bd1161c0d0337c23649b007468b868 1517
phpmyadmin_3.3.7-3.dsc
72fcd7eb7dc0cfe12da9e76688b0b34e664aa2ab68f5da8451d3e106d6cac8e8 47501
phpmyadmin_3.3.7-3.debian.tar.gz
20a966067cc632c3fda423e9232ef297b96664abc6f90cbde704ebe9d80bd136 4352748
phpmyadmin_3.3.7-3_all.deb
Files:
a4d8b319f5748ead9f2824e3f1e778d5 1517 web extra phpmyadmin_3.3.7-3.dsc
af6f312c16a0d449ed28a09247db615b 47501 web extra
phpmyadmin_3.3.7-3.debian.tar.gz
427b91b46b227c53065520835d170396 4352748 web extra phpmyadmin_3.3.7-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iQEcBAEBAgAGBQJNHLh8AAoJEOxfUAG2iX5727cIAL1dlCaD7b6M7BbNPiu3qlMq
tO45JmgiLFaifUGFaOTSkxpAN4P2KCbb+5uwIYlhgSBjJ4ztXs3y4NgYcOqePSnW
pb2nI6TBAXeIDFhjR5MbZN1W6qUfAZIpw/xBRjno8DYt/wxr/uMbaME7SIzKhKVb
pB07XfF/iKRWEc3XI9r59A6IbgaMAM8esR5AUo5V2MtucDumEp1o/E9sukk+3i2m
ACWprc9DNZhODH5tnya4+wUhh493+wuQWZQrBCcRN8j7Qz+lMBidgHctJ8OK9Xax
s1LxR4+GwwmQp7me8E4F5q+DI3qPk39W9tnUMeUZZLvTLTVjHLJBnbYkzvrGtIw=
=91s7
-----END PGP SIGNATURE-----
--- End Message ---
