close 360726 4:2.6.2-3sarge1 thanks Hello All,
I've checked out all open CVE's with respect to sarge. All are already fixed in sid. I've prepared a package that fixes the ones that are relevant. See the breakdown here: > CVE-2005-3621 CRLF injection vulnerability in phpMyAdmin before 2.6.4-pl4 > allows ... Vulnerable, fixed in update. > CVE-2005-3665 Multiple cross-site scripting (XSS) vulnerabilities in > phpMyAdmin ... Vulnerable, fixed in update. > CVE-2005-3787 Multiple cross-site scripting (XSS) vulnerabilities in > phpMyAdmin ... This was all already fixed in 4:2.6.2-3sarge1. > CVE-2006-1258 Cross-site scripting (XSS) vulnerability in phpMyAdmin > 2.8.0.1 allows ... Code not present in sarge - can be marked as not vulnerable. > CVE-2006-1678 Multiple cross-site scripting (XSS) vulnerabilities in > phpMyAdmin ... Vulnerable, fixed in update. > CVE-2006-1803 Cross-site scripting (XSS) vulnerability in sql.php in > phpMyAdmin ... Can not reproduce and in suggested to be a false duplicate of CVE-2006-1804. I'm considering this one to be not vulnerable in sarge. > CVE-2006-1804 XSRF SQL injection vulnerability in sql.php in phpMyAdmin > 2.7.0-pl1 allows ... Our sarge version doesn't have the whole XSRF-countering-mechanism so this requires major code overhauls to address. XSRF is very common in webapps and not easily fixed; it's doubtful if it's at all fixable. > CVE-2006-2031 Cross-site scripting (XSS) vulnerability in index.php in > phpMyAdmin ... Not vulnerable, code not present in sarge. > CVE-2006-2417 Cross-site scripting (XSS) vulnerability in phpMyAdmin > 2.8.0.x before ... Not vulnerable, code not present in sarge. > CVE-2006-2418 Cross-site scripting (XSS) vulnerabilities in certain > versions of ... Vulnerable, fixed in update. > CVE-2006-3388 Cross-site scripting (XSS) vulnerability in phpMyAdmin before > 2.8.2 ... Not vulnerable, code not present in sarge. I've prepared an updated package, it can be found here: http://www.a-eskwadraat.nl/~kink/debian/ Please let me know if it's ok and I'll upload it to the security archive. Thijs
signature.asc
Description: This is a digitally signed message part
