Package: phpmyadmin / 4:4.6.6-4+deb9u1
Metadata
Package | Version | Patches format |
---|---|---|
phpmyadmin | 4:4.6.6-4+deb9u1 | 3.0 (quilt) |
Patch series
view the series filePatch | File delta | Description |
---|---|---|
Truncate only long passwords.patch | (download) |
libraries/common.inc.php |
2 1 + 1 - 0 ! |
[patch 1/1] truncate only long passwords MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This avoids problems with certain PHP versions returning false when first parameter to substr is ''. Signed-off-by: Michal iha <michal@cihar.com> |
debian.patch | (download) |
libraries/vendor_config.php |
18 11 + 7 - 0 ! |
adjust phpmyadmin vendor configuration to match debian needs - setup generates configuration in /var - documentation is in /usr/share/doc - config file consists of several included files, so we skip mtime check |
CVE 2018 7260.patch | (download) |
db_central_columns.php |
4 3 + 1 - 0 ! |
cross-site scripting (xss) vulnerability in db_central_columns.php in phpmyadmin before 4.7.8 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. Fixes CVE-2019-7260. This patch is based on upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/d2886a3e8745e8845633ae8a0054b5ee4d8babd5 |
CVE 2018 19968.patch | (download) |
libraries/DisplayResults.php |
37 19 + 18 - 0 ! |
remove transformation plugin includes Tranformation plugins should be loaded by the autoloader. Fixes CVE-2018-19968. This patch is based on upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/6a1ba61e29002f0305a9322a8af4eaaeb11c0732 |
CVE 2018 19970.patch | (download) |
libraries/navigation/NavigationTree.php |
2 1 + 1 - 0 ! |
fix stored cross-site scripting (xss) in navigation tree Fixes CVE-2018-19970. This patch is based on upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/b293ff5f234ef493336ed8638f623a12164d359e |
CVE 2019 6798.patch | (download) |
libraries/db_designer.lib.php |
3 2 + 1 - 0 ! |
an issue was discovered in phpmyadmin before 4.8.5. a vulnerability was reported where a specially crafted username can be used to trigger a SQL injection attack through the designer feature. Fix CVE-2019-6798 https://www.phpmyadmin.net/security/PMASA-2019-2/ This patch is based on upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/469934cf7d3bd19a839eb78670590f7511399435 |
CVE 2019 6799.patch | (download) |
import.php |
5 5 + 0 - 0 ! |
fix information leak (arbitrary file read) using sql queries Fix CVE-2019-6799 https://www.phpmyadmin.net/security/PMASA-2019-1/ This patch is based on upstream patches: https://github.com/phpmyadmin/phpmyadmin/commit/c5e01f84ad48c5c626001cb92d7a95500920a900 https://github.com/phpmyadmin/phpmyadmin/commit/aeac90623e525057a7672ab3d98154b5c57c15ec Avoid regression in 'Table > Import > Load CSV with LOAD DATA' by backporting: https://github.com/phpmyadmin/phpmyadmin/commit/d02d61ada7c8e29753fd37440b511a1088efb060 Note: mitigated by /etc/phpmyadmin/apache.conf's open_basedir: - php5-mysql: open_basedir fully disables LOAD DATA LOCAL INFILE; - php5-mysqlnd: open_basedir is respected but some sensitive files remain accessible, notably '/etc/phpmyadmin/config-db.php'. Note: nothing to do with AllowArbitraryServer, works on local MySQL server as well. Note: https://bugs.php.net/bug.php?id=77496 applies php5-mysqlnd but not php5-mysql. Also phmymadmin 4.2.12 unconditionally enables LOCAL DATA LOCAL INFILE. |
CVE 2019 11768.patch | (download) |
js/pmd/move.js |
2 1 + 1 - 0 ! |
a vulnerability was reported where a specially crafted database name can be used to trigger an SQL injection attack through the designer feature. Fix CVE-2019-11768 This patch is based on upstream patches: https://github.com/phpmyadmin/phpmyadmin/commit/c1ecafc38319e8f768c9259d4d580e42acd5ee86 |
CVE 2019 12616.patch | (download) |
libraries/common.inc.php |
4 2 + 2 - 0 ! |
a vulnerability was found that allows an attacker to trigger a csrf attack against a phpmyadmin user. the attacker can trick the user, for instance through a broken <img> tag pointing at the victim's phpmyadmin database, and the attacker can potentially deliver a payload (such as a specific insert or delete statement) through the victim. This patch is based on upstream patch: https://github.com/phpmyadmin/phpmyadmin/commit/015c404038c44279d95b6430ee5a0dddc97691ec |
CVE 2020 5504.patch | (download) |
libraries/server_privileges.lib.php |
2 1 + 1 - 0 ! |
patch for pmasa-2020-1, cve-2020-5504 Fix CVE-2020-5504 |
CVE 2020 10802.patch | (download) |
libraries/controllers/table/TableSearchController.php |
4 2 + 2 - 0 ! |
patch for pmasa-2020-3, cve-2020-10802 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Fix CVE-2020-10802 Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-3/ |
fix tests for CVE 2019 12616.patch | (download) |
test/classes/plugin/auth/AuthenticationCookieTest.php |
6 3 + 3 - 0 ! |
fix tests for cve-2019-12616 |
CVE 2020 10803.patch | (download) |
libraries/DisplayResults.php |
2 2 + 0 - 0 ! |
patch for pmasa-2020-4, cve-2020-10803 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Fix CVE-2020-10803 Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ |
add functions for CVE 2020 10803.patch | (download) |
libraries/Util.php |
30 30 + 0 - 0 ! |
implement signsqlquery and checksqlquerysignature for pmasa-2020-4 Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ |
fix tests for CVE 2020 10803.patch | (download) |
test/classes/DisplayResultsTest.php |
27 9 + 18 - 0 ! |
patch for pmasa-2020-4, cve-2020-10803 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Fix CVE-2020-10803 Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-4/ |
CVE 2020 10804.patch | (download) |
libraries/server_privileges.lib.php |
22 14 + 8 - 0 ! |
patch for pmasa-2020-2, cve-2020-10804 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Fix CVE-2020-10804 Bug-Upstream: https://www.phpmyadmin.net/security/PMASA-2020-2/ |