Hi, I've continued my work to sift through phpMyAdmin issues to see what applies to sarge and what needs to be fixed, here's another round.
CVE-2006-5116: Multiple cross-site request forgeries. CVE-2006-3388: PMASA-2006-4: 377748: Cross site scripting. This deals with refinements to the cross site request forgery countering-infrastructure that has been introduced in 2.8.x. We don't have that infrastructure in sarge and if I recall correctly there was agreement that backporting pervasive changes for this goal was not feasible. Especially since the whole concept of XSRF and whether it's resolvable through phpMyAdmin's method or in general is doubtful in nature if you ask me. I propose to leave these two alone for sarge. CVE-2006-5117: Libraries under web root. I cannot find much detail about this, but upstream CVS indicates that the solution is tightening a .htaccess file in that dir. From reading advisories, I get no more exploitability than "path disclosure" which is of course moot in Debian. I propose to leave this item for sarge. (a fixed package will follow for the other issues) Thijs -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
