Package: phpmyadmin Version: 4:2.8.1-1 4:2.6.2-3sarge1 Severity: serious Tags: security patch
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2006-3388: "Cross-site scripting (XSS) vulnerability in phpMyAdmin before 2.8.2 allows remote attackers to inject arbitrary web script or HTML via the table parameter." This is PMASA-2006-4. The original advisory [1] is very low on details and simply recommends upgrading to 2.8.2, but this issue appears to also affect sarge. Judging from the changelog for 2.8.2 [2], I believe the fix is in two commits to libraries/common.lib.php, r2.266.2.26 and r2.266.2.27. The diff for those commits is [3]. Please mention the CVE in your changelog. Thanks, Alec [1] http://www.securityfocus.com/archive/1/archive/1/438870/100/0/threaded [2] http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/ChangeLog?view=markup&pathrev=RELEASE_2_8_2 [3] http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/libraries/common.lib.php?r1=2.266.2.27&r2=2.266.2.25&pathrev=RELEASE_2_8_2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFEsvzsAud/2YgchcQRArP5AJ0Xw0bkKHu1yZqGT0R4uWIGjLSWtACfTo9/ PH5Kv7UUGtTNt+bIVHEFfhA= =Lj2y -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
