Bug#377748: marked as done (phpmyadmin: CVE-2006-3388: cross-site scripting)

Debian Bug Tracking System Tue, 18 Jul 2006 04:57:03 -0700

Your message dated Tue, 18 Jul 2006 13:25:52 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Fixed in NMU of phpmyadmin 4:2.8.2-0.1
has caused the attached Bug report to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

Package: phpmyadmin
Version: 4:2.8.1-1 4:2.6.2-3sarge1
Severity: serious
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2006-3388: "Cross-site scripting (XSS) vulnerability in phpMyAdmin
before 2.8.2 allows remote attackers to inject arbitrary web script or
HTML via the table parameter."

This is PMASA-2006-4.  The original advisory [1] is very low on details
and simply recommends upgrading to 2.8.2, but this issue appears to also
affect sarge.  Judging from the changelog for 2.8.2 [2], I believe the
fix is in two commits to libraries/common.lib.php, r2.266.2.26 and
r2.266.2.27.  The diff for those commits is [3].

Please mention the CVE in your changelog.

Thanks,

Alec

[1] http://www.securityfocus.com/archive/1/archive/1/438870/100/0/threaded
[2] 
http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/ChangeLog?view=markup&pathrev=RELEASE_2_8_2
[3] 
http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/phpMyAdmin/libraries/common.lib.php?r1=2.266.2.27&r2=2.266.2.25&pathrev=RELEASE_2_8_2

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEsvzsAud/2YgchcQRArP5AJ0Xw0bkKHu1yZqGT0R4uWIGjLSWtACfTo9/
PH5Kv7UUGtTNt+bIVHEFfhA=
=Lj2y
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Version: 4:2.8.2-0.1

I've NMUed for this bug (fixing the bug to use versioning instead of the
"fixed" tag, to ease tracking through testing); here's the changelog:

>  phpmyadmin (4:2.8.2-0.1) unstable; urgency=high
>  .
>    * Non-maintainer upload.
>    * New upstream release.
>      * Fixes cross-site-scripting issues. [CVE-2006-3388] (Closes: #377748)

/* Steinar */
-- 
Homepage: http://www.sesse.net/

--- End Message ---

Bug#377748: marked as done (phpmyadmin: CVE-2006-3388: cross-site scripting)

Reply via email to