Please sync phpmyadmin 4:2.11.6-1 (universe) from Debian unstable (main).

Bug #227261 reported by Emanuele Gentili
14
Affects Status Importance Assigned to Milestone
phpmyadmin (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: phpmyadmin

Please sync phpmyadmin 4:2.11.6-1 (universe) from Debian unstable (main).

Explanation of the Ubuntu delta and why it can be dropped:

Debian sync to Ubuntu

Changelog since current intrepid version 4:2.11.3-1ubuntu1:

phpmyadmin (4:2.9.1.1-7) stable-security; urgency=high

  * Update for etch to address a security issue.
  * Attackers with CREATE table permissions were allowed to read arbitrary
    files via a crafted HTTP POST request, related to use of an undefined
    UploadDir variable. [PMASA-2008-3, CVE-2008-1924]
  * Stores the MySQL (1) username and (2) password, and the (3) Blowfish
    secret key, in cleartext in a Session file under /tmp, which allows
    local users to obtain sensitive information.
    [PMASA-2008-2, CVE-2008-1567]
  * phpMyAdmin accesses $_REQUEST to obtain some parameters instead of
    $_GET and $_POST, which allows attackers in the same domain to
    override certain variables and conduct SQL injection and Cross Site
    Request Forgery (CSRF) attacks by using crafed cookies.
    [PMASA-2008-1, CVE-2008-1149]

 -- Thijs Kinkhorst <email address hidden> Thu, 24 Apr 2008 20:00:49 +0200

phpmyadmin (4:2.9.1.1-6) stable-security; urgency=high

  * Update for etch to address a security issue.
  * Cross-site scripting (XSS) vulnerability in scripts/setup.php in
    phpMyAdmin 2.11.1, when accessed by a browser that does not
    URL-encode requests, allows remote attackers to inject arbitrary
    web script or HTML via the query string.
    (CVE-2007-5386, PMASA-2007-5, closes: #446451)

 -- Thijs Kinkhorst <email address hidden> Wed, 7 Nov 2007 14:41:34 +0100

phpmyadmin (4:2.9.1.1-5) stable-security; urgency=high

  * Update for etch to address a security issue.
  * Muliple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
    2.11.1.2 allow remote attackers to inject arbitrary web script or HTML via
    certain input available in (1) PHP_SELF in (a) server_status.php, and (b)
    grab_globals.lib.php, (c) display_change_password.lib.php, and (d)
    common.lib.php in libraries/; and certain input available in PHP_SELF and
    (2) PATH_INFO in libraries/common.inc.php.
    (CVE-2007-5589, PMASA-2007-6)

 -- Thijs Kinkhorst <email address hidden> Wed, 7 Nov 2007 13:30:08 +0100

phpmyadmin (4:2.9.1.1-4) stable-security; urgency=high

  * Update for etch to address security issues.
  * Incomplete blacklist vulnerability in index.php in
    phpMyAdmin 2.8.0 through 2.9.2 allows remote attackers to conduct
    cross-site scripting (XSS) attacks by injecting arbitrary JavaScript or
    HTML in a (1) db or (2) table parameter value followed by an uppercase
    </SCRIPT> end tag, which bypasses the protection against lowercase
    </script>. [CVE-2007-1395]
  * Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin before
    2.10.1.0 allow remote attackers to inject arbitrary web script or HTML
    via (1) the fieldkey parameter to browse_foreigners.php or (2) certain
    input to the PMA_sanitize function. [CVE-2007-2245]
  * Add fix/workaround for deep array recursion, which may cause PHP to
    crash the webserver. [CVE-2007-1325]

 -- Thijs Kinkhorst <email address hidden> Tue, 28 Aug 2007 22:31:30 +0200

phpmyadmin (4:2.9.1.1-3) unstable; urgency=medium

  * Added Galician debconf translation by Jacobo Tarrio (Closes: #412195).
  * Actually install config.default.php example file (Closes: #412655).
  * Add XS-Vcs-* fields to debian/control.

 -- Thijs Kinkhorst <email address hidden> Wed, 28 Feb 2007 01:07:56 +0100

phpmyadmin (4:2.9.1.1-2) unstable; urgency=high

  * Backport security-related changes from 2.9.2-rc1:
  * CVE-2007-0203: Multiple unspecified vulnerabilities;
    this turns out to be (1) cross site scripting and
    (2) the same as CVE-2006-6374. (Closes: #406332, #406486)
  * CVE-2006-6374: the vulnerability only applies to
    PHP < 5.1.2 and < 4.4.2, so strictly speaking current
    Debian is not vulnerable. Include it anyway, to not expose
    those using older PHP versions. (Closes: #404744)

 -- Thijs Kinkhorst <email address hidden> Fri, 12 Jan 2007 15:29:28 +0100

phpmyadmin (4:2.9.1.1-1) unstable; urgency=high

  * New upstream release.
    - Addresses several security issues (Closes: #399329).

  * In Depends, explicitly prefer the apache2/apache PHP module, to make
    sure the correct one is selected upon installation.
  * Drop 100-dutch_fixtypo.patch, integrated upstream.

  * Add note to default config file about adding sensitive data
    to that file (Closes: #321529).
  * Update README.Debian with information about register_globals.

 -- Thijs Kinkhorst <email address hidden> Wed, 22 Nov 2006 22:24:02 +0100

phpmyadmin (4:2.9.0.3-1) unstable; urgency=medium

  * New upstream bugfix release.
    - Includes a fix for a XSS security issue.
      (PMASA-2006-6, CVE-2006-5718, Closes: #396638)

  * 100-dutch_fixtypo.patch: Add patch to fix typo in Dutch
    translation which also caused a layout problem in the login
    screen.
  * 021-config.inc.php_no_check_mtime.patch: Add patch to Config
    class to disable checking for the mtime of config.inc.php.
    Since we include other files from it, those will otherwise
    never be read (Closes: #392022).
  * Add depends on perl since it's used in the maintainer scripts.
  * Update shipped htaccess to make it compatible with Apache 2.2
    (Closes: #396560).

  * Updated translations:
    - Bokmål by Bjørn Steensrud.
    - Basque by Piarres Beobide.
    - Dutch by self.
    - Danish by Claus Hindsgaul (Closes: #393871).
    - Japanese by Hideki Yamane (Closes: #396548).

 -- Thijs Kinkhorst <email address hidden> Thu, 2 Nov 2006 15:45:29 +0100

phpmyadmin (4:2.9.0.2-1) unstable; urgency=low

  * New maintainer, thanks Piotr for your previous work!
  * Acknowledge NMU's, thanks Steinar! (Closes: #378681)
  * Fix typo in debconf templates and unfuzzy that.
  * Tweak package description.

 -- Thijs Kinkhorst <email address hidden> Wed, 11 Oct 2006 14:46:37 +0200

phpmyadmin (4:2.9.0.2-0.1) unstable; urgency=high

  * Non-maintainer upload with maintainer consent.
  * Upgrade to latest upstream version to battle cross-site
    request forgery (PMASA-2006-5, CVE-2006-5116, CVE-2006-5117,
    closes: 391090).
  * New upstream also fixes broken database export functionality
    (closes: 374918) and database/table copy (closes: 390484).
  * Update translations:
    - Danish by Claus Hindsgaul (Closes: 357972).
    - Italian by Luca Monducci (Closes: 382139).
    - Spanish by Nacho Barrientos Arias (Closes: 385365).

 -- Thijs Kinkhorst <email address hidden> Tue, 10 Oct 2006 20:56:25 +0200

phpmyadmin (4:2.8.2-0.2) unstable; urgency=medium

  * Non-maintainer upload.
  * Fix issue with /var/www pointing to /usr/share/phpmyadmin.
    (Closes: #385889)
    * Make sure we install /var/www as a directory, since we make a symlink into
      it and we can't rely on it being there.
    * Explicitly link to /var/www/phpmyadmin instead of /var/www, to make sure
      we don't make a new /var/www even if it should be removed for some
      reason.

 -- Steinar H. Gunderson <email address hidden> Mon, 11 Sep 2006 00:14:54 +0200

phpmyadmin (4:2.8.2-0.1) unstable; urgency=high

  * Non-maintainer upload.
  * New upstream release.
    * Fixes cross-site-scripting issues. [CVE-2006-3388] (Closes: #377748)

 -- Steinar H. Gunderson <email address hidden> Tue, 18 Jul 2006 12:52:19 +0200

phpmyadmin (4:2.8.1-1) unstable; urgency=medium

  * New upstream release. Closes: #373204.
    - The French translation is correct. Closes: #362154.
    - Generates correct dumps with UPDATE syntax. Closes: #364702.
  * Security fix: XSRF vulnerability.
    See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-3
    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1804
    [CVE-2006-1803, CVE-2006-1804]
  * Security fix: XSS vulnerabilities. It was not a problem for Debian with
    the default settings.
    See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-2
    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2031
    [CVE-2006-2031, CVE-2006-2417, CVE-2006-2418]
    Closes: #363519, #368082.
  * Updated Portuguese debconf templates translation, thanks Miguel Figueiredo.
    Closes: #363597.
  * Updated Russian debconf templates translation, thanks Yuriy Talakan.
    Closes: #367146.
  * Convert non-ISO-8859-1 debconf templates translation to UTF-8.

 -- Piotr Roszatycki <email address hidden> Sun, 25 Jun 2006 18:10:23 +0200

phpmyadmin (4:2.8.0.3-1) unstable; urgency=medium

  * New upstream release.
  * Security fix: XSS vulnerability (calling directly css files under themes)
    See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1
    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1678
    Closes: #362567.

 -- Piotr Roszatycki <email address hidden> Fri, 14 Apr 2006 14:47:28 +0200

phpmyadmin (4:2.8.0.2-4) unstable; urgency=low

  * Fixed typos in debconf template. Closes: #360059.
  * Updated Czech debconf templates translation, thanks Miroslav Kure.
    Closes: #359757.
  * Updated German debconf templates translation, thanks Daniel Knabl.
    Closes: #359752.
  * Updated Swedish debconf templates translation, thanks Daniel Nylander.
  * Updated Vietnamese debconf templates translation, thanks Clytie Siddall.

 -- Piotr Roszatycki <email address hidden> Fri, 31 Mar 2006 14:54:00 +0200

phpmyadmin (4:2.8.0.2-3) unstable; urgency=low

  * Add missing javascript files. Closes: #357743, #357579.
  * Updated Brazilian Portuguese debconf templates translation, thanks Andre
    Luis Lopes. Closes: #357840.

 -- Piotr Roszatycki <email address hidden> Mon, 20 Mar 2006 11:06:09 +0100

phpmyadmin (4:2.8.0.2-2) unstable; urgency=low

  * Do not use 822-date command in postinst script. Close: #357605.

 -- Piotr Roszatycki <email address hidden> Sat, 18 Mar 2006 15:02:47 +0100

phpmyadmin (4:2.8.0.2-1) unstable; urgency=low

  * New upstream release. Closes: #356013, #355931.
    - Can work if DocumentRoot is set to phpMyAdmin's directory.
      Closes: #352403, #349497.
    - pma_* features work with PersistentConnection mode. Closes: #348489.
    - Export of table works if __TABLE__ macro is used. Closes: #217364.
    - Can navigate back to user after changing privileges on database.
      Closes: #338758.
    - Fixes XSS [CVE-2006-1258]
  * Reedited package description.
  * Tweaked dependencies. Prefer php5-cgi package and does not depend on
    apache2, because the PHP can be started as FastCGI standalone server.
    Closes: #340286, #307441.
  * This release provides http://localhost/phpmyadmin/scripts/setup.php setup
    script. This script requires authorization by default.
  * Generate longer blowfish secret on install.
  * Create symlink /var/www/phpmyadmin only at first install.

 -- Piotr Roszatycki <email address hidden> Fri, 17 Mar 2006 10:56:43 +0100

phpmyadmin (4:2.7.0-pl2-1) unstable; urgency=low

  * New upstream release. Closes: #342203.
  * Tweak the dependencies and prefer PHP5 with Apache2.
  * Support cgid.so module for threaded Apache2.
  * Removed all Debian specific patches.
  * Portuguese debconf templates translation, thanks Miguel Figueiredo.
    Closes: #336444.

 -- Piotr Roszatycki <email address hidden> Wed, 4 Jan 2006 15:34:36 +0100

phpmyadmin (4:2.6.4-pl4-2) unstable; urgency=high

  * Security fix: Cross-site scripting by trusting potentially user-supplied
    input.
    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3665
    New 200-CVE-2005-3665.patch. Closes: #340438.

 -- Piotr Roszatycki <email address hidden> Wed, 23 Nov 2005 14:31:15 +0100

phpmyadmin (4:2.6.4-pl4-1) unstable; urgency=high

  * New upstream release.
  * Security fix: HTTP Response Splitting vulnerability.
    See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6
    See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3621
    Closes: #339437.
  * New 105-bug_debian_324318.patch:
    - Always set the default configuration values, even if the config.inc.php
      file seems to be up to date. This fix allows to utilise more than three
      databases. Closes: #324318.

 -- Piotr Roszatycki <email address hidden> Wed, 16 Nov 2005 13:10:14 +0100

phpmyadmin (4:2.6.4-pl3-1) unstable; urgency=high

  * New upstream release.
  * Security fix: (1) Local file inclusion vulnerability and (2) Cross-Site
    Scripting vulnerability.
    See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3300
    See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3301
    Closes: #335306, #335513.
  * Assigned CVE number for 4:2.6.4-pl2-1 bug fix.

 -- Piotr Roszatycki <email address hidden> Mon, 24 Oct 2005 20:14:08 +0200

phpmyadmin (4:2.6.4-pl2-1) unstable; urgency=high

  * New upstream release.
  * Security fix: local file inclusion vulnerability.
    See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3299
    Closes: #333433.

 -- Piotr Roszatycki <email address hidden> Wed, 12 Oct 2005 15:07:42 +0200

phpmyadmin (4:2.6.4-pl1-2) unstable; urgency=low

  * Rebuilt with new YADA. Depends: debconf (>= 0.2.26) | debconf-2.0
  * Swedish debconf templates translation, thanks Daniel Nylander.
    Closes: #330645.

 -- Piotr Roszatycki <email address hidden> Tue, 4 Oct 2005 13:01:25 +0200

phpmyadmin (4:2.6.4-pl1-1) unstable; urgency=medium

  * New upstream release.
  * Security fix: Two Cross-Site Scripting vulnerabilities.
    See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2869
    Closes: #327345.
  * Append the Debian package revision number to the upstream version number.
    Marks that this phpMyAdmin package has additional Debian modifications so
    the bugreports won't confuse phpMyAdmin's coders.
  * Create minimal /usr/share/phpmyadmin/config.inc.php file with proper
    comment. Closes: #321270.
  * Reintroduced /etc/phpmyadmin/apache.conf. Closes: #307181, #308460,
    #312611, #312668.
  * Removed all Debian patches as are obsoleted now.
  * Depends: apache2 | httpd
  * Recommends: php4-mcrypt | php5-mcrypt. Closes: #321259.
  * Arabic debconf templates translation. Closes: #320773.
  * Vietnamese debconf templates translation. Closes: #316841.
  * Updated Brazilian Portuguese debconf templates translation. Closes: #310875.
  * Updated German debconf templates translation. Closes: #326141.
  * New yada fixes postrm script fail when ucf is missing. Closes: #322139.

 -- Piotr Roszatycki <email address hidden> Fri, 16 Sep 2005 16:21:21 +0200

phpmyadmin (4:2.6.2-3) unstable; urgency=high

  * Fix apache2.conf only for 4:2.6.2-1 release. Closes: #307901 (critical),
    #307275 (critical), #304786 (critical).
  * Clean up old 'Include /etc/phpmyadmin/apache.conf' from httpd.conf in safe
    way.
  * Removed old code which modified httpd.conf if 'Include /etc/apache/conf.d'
    was missing.
  * Note for release manager: cleaning up config.inc.php doesn't change the
    application logic. The autoloading of the PHP extensions is already
    implemented in the upstream's code.

 -- Piotr Roszatycki <email address hidden> Sat, 7 May 2005 14:49:49 +0200

phpmyadmin (4:2.6.2-2) unstable; urgency=high

  * Doesn't modify apache2.conf. Try to revert the changes.
    Closes: #307275 (critical).
  * Remove obsoleted conffiles and symlinks on purge. Closes: #307415.
  * The default behaviour is not to autoconfigurate webservers.
  * Doesn't load the PHP extensions automatically in config.inc.php script.

 -- Piotr Roszatycki <email address hidden> Thu, 5 May 2005 11:40:46 +0200

phpmyadmin (4:2.6.2-1) unstable; urgency=low

  * New upstream release
  * NEWS and README.Debian file are documented about problem with logging
    in with cookie based authentication.
  * Removed suPHP directive from apache.conf file. Closes: #304018.
  * Configuration in .htaccess doesn't override global access settings.
    Closes: #303535.
  * Updated Brazilian Portuguese debconf templates translation.
    Closes: #304566.
  * Apache configuration is installed separately, not through symlinks.
  * Convert httpd.conf and apache.conf. They have to contain
    "Include /etc/apache2/conf.d/*.conf" directive.

 -- Piotr Roszatycki <email address hidden> Tue, 19 Apr 2005 11:51:21 +0200

phpmyadmin (3:2.6.2-rc1-1) unstable; urgency=high

  * New upstream release.
  * Security fix: Cross-Site Scripting vulnerability.
    See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3
    Closes: #303142.
  * Don't enable PHP if mod_fcgid is loaded in Apache 2.x.

 -- Piotr Roszatycki <email address hidden> Tue, 5 Apr 2005 15:17:25 +0200

phpmyadmin (3:2.6.1-pl3-2) unstable; urgency=high

  * Fixed the bug in postinst introduced in last upload. Closes: #299034.

 -- Piotr Roszatycki <email address hidden> Fri, 11 Mar 2005 11:14:05 +0100

phpmyadmin (3:2.6.1-pl3-1) unstable; urgency=high

  * New upstream release.
  * Fixed annoying bug that a user called 'xx@%' could be created but
    not removed. Closes: #208539.
  * Fixed critical bug introduced by php4 compiled with ZTS option. Added
    003-dl_with_zts.patch. Closes: #297725.
  * Renamed debian/patches/*.diff to *.patch.
  * Depends also on php5-fcgi.

 -- Piotr Roszatycki <email address hidden> Mon, 7 Mar 2005 12:21:00 +0100

phpmyadmin (3:2.6.1-pl2-2) unstable; urgency=low

  * Fixed converting /etc/apache/conf.d/phpmyadmin to phpmyadmin.conf at
    upgrade time.

 -- Piotr Roszatycki <email address hidden> Wed, 2 Mar 2005 20:30:29 +0100

phpmyadmin (3:2.6.1-pl2-1) unstable; urgency=high

  * New upsteam release.
  * Security fix: A variable injection vulnerability was found in phpMyAdmin,
    that may allow an attacker to conduct Cross-site scripting (XSS) attacks
    and / or perform remote file inclusion.
    See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1
    Closes: #296845.
  * Switched off register_globals in .htaccess.
  * Does not recommend versioned apache, as far as it works wrongly with
    aptitude. Closes: #295786.

 -- Piotr Roszatycki <email address hidden> Sat, 26 Feb 2005 17:39:31 +0100

phpmyadmin (3:2.6.1-1) unstable; urgency=low

  * New upstream release.
  * Czech debconf templates translation. Closes: #293611.
  * Woody backward compatibility. See bug 1117907 on Sourceforge.

 -- Piotr Roszatycki <email address hidden> Mon, 7 Feb 2005 15:20:09 +0100

phpmyadmin (2:2.6.1-rc2-2) unstable; urgency=low

  * Configuration for suPHP can't be in .htaccess. Closes: #287897.

 -- Piotr Roszatycki <email address hidden> Tue, 18 Jan 2005 19:13:12 +0100

phpmyadmin (2:2.6.1-rc2-1) unstable; urgency=low

  * New upstream release.
  * Rename the symlink /etc/$APACHE/conf.d and add .conf suffix.
    Closes: #286100.
  * Disable suPHP for security reasons. Closes: #287897.
  * Use /cgi-bin/php if CGI mode is used.
  * Depends on php4 | php4-cgi | php5 | php5-cgi.
  * Modified Description field to make lintian happy.
  * Fixed postinst script for better php5 support.

 -- Piotr Roszatycki <email address hidden> Wed, 12 Jan 2005 21:37:02 +0100

phpmyadmin (2:2.6.1-rc1-1) unstable; urgency=high

  * New upstream release.
  * Security fix: Command execution and file disclosure was found.
    See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-4
    Closes: #285488.
  * Remove 003.non_standard_port_fix.diff applied to upstream.
  * Add commented out options 'extension' and 'AllowRoot' to default config
    file.
  * Support mysqli.so extension. Autodetect modules from 'extension' option.

 -- Piotr Roszatycki <email address hidden> Mon, 13 Dec 2004 19:23:57 +0100

phpmyadmin (2:2.6.0-pl3-2) unstable; urgency=high

  * Security fix is broken if non-standard HTTP(S) port is used.
    Closes: #283044.

 -- Piotr Roszatycki <email address hidden> Fri, 26 Nov 2004 09:55:29 +0100

phpmyadmin (2:2.6.0-pl3-1) unstable; urgency=high

  * New upstream release.
  * Security fix: Multiple XSS vulnerability were found.
    See http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3
  * Tweaks dependencies: depends php4 | php4-cgi; don't suggests
    non-free mysql-doc.
  * Supports unofficial php5 packages.

 -- Piotr Roszatycki <email address hidden> Mon, 22 Nov 2004 10:22:41 +0100

phpmyadmin (2:2.6.0-pl2-2) unstable; urgency=low

  * Updated German translation of the debconf templates. Closes: #280998.

 -- Piotr Roszatycki <email address hidden> Thu, 18 Nov 2004 14:08:27 +0100

phpmyadmin (2:2.6.0-pl2-1) unstable; urgency=high

  * New upstream release.
  * Security fix: If PHP is not running in safe mode, a problem in the
    MIME-based transformation system (with an "external" transformation)
    allows to execute any command with the privileges of the web server's
    user.

 -- Piotr Roszatycki <email address hidden> Thu, 14 Oct 2004 11:33:56 +0200

phpmyadmin (2:2.6.0-pl1-1) unstable; urgency=low

  * New upstream release.
  * This release fixes patch 003.woody_compatibility.

 -- Piotr Roszatycki <email address hidden> Wed, 29 Sep 2004 09:39:38 +0200

phpmyadmin (2:2.6.0-1) unstable; urgency=low

  * New upstream release.
  * Depends: php4-cgi (>= 4.1.0) | libapache-mod-php4. The php4-cgi package
    is recommended as easier for installation. Closes: #267878.
  * Depends: apache | apache-perl | apache-ssl | apache2 | httpd.
  * Added patch for woody with MySQL from backports.org compatibility.

 -- Piotr Roszatycki <email address hidden> Tue, 28 Sep 2004 09:42:06 +0200

phpmyadmin (1:2.6.0-rc1-1) experimental; urgency=low

  * New upstream release.
  * Disable the default warning that is displayed on the DB Details Structure
    page if any of the required Tables for the relation features could not be
    found.

 -- Piotr Roszatycki <email address hidden> Mon, 9 Aug 2004 10:21:07 +0200

phpmyadmin (1:2.5.7-pl1-2) unstable; urgency=medium

  * blowfish_secret.inc.php must not be world readable. Closes: #257968.

 -- Piotr Roszatycki <email address hidden> Thu, 5 Aug 2004 17:37:46 +0200

phpmyadmin (1:2.5.7-pl1-1) unstable; urgency=high

  * New upstream release
  * Fixes security problems. See
    http://securityfocus.com/archive/1/367486/2004-06-26/2004-07-02/0
    and the Documentation.html, FAQ 8.2.

 -- Piotr Roszatycki <email address hidden> Thu, 1 Jul 2004 09:51:54 +0200

phpmyadmin (1:2.5.7-1) unstable; urgency=low

  * New upstream release
  * Add /var/www/phpmyadmin to the apache.conf, closes: #246367.
  * Suggests: php4-gd, closes: #243714.
  * Should work with E_ALL, closes: #244672.
  * Remove php3 from dependencies and DebConf templates, closes: #246002.
  * Fixed typo in DebConf template, closes: #250841.
  * Dutch debconf templates translation (unfinished...), closes: #216936.
  * Split configuration to the /etc/phpmyadmin/config.inc.php and
    /usr/share/phpmyadmin/config.inc.php, closes: #225766.
  * Ask for restart only if required, closes: #249940.

 -- Piotr Roszatycki <email address hidden> Fri, 25 Jun 2004 10:27:26 +0200

phpmyadmin (1:2.5.6-2) unstable; urgency=low

  * Supports PHP for Apache2, closes: #242797.
  * apache.conf uses <Directory> than <DirectoryMatch>, closes: #236978.
  * Remove /etc/*/conf.d/phpmyadmin on purge, closes: #239080.
  * Fixed DebConf scripts. Should not ask again about webservers,
    closes: #239480.
  * Install /var/www/phpmyadmin symlink than Alias, closes: #238598.
  * Catalan debconf templates translation, closes: #236636.
  * DebConf templates:
    * Removed phpmyadmin/changed-extension
    * Renamed phpmyadmin/webserver to phpmyadmin/reconfigure-webserver
    * Renamed phpmyadmin/restart to phpmyadmin/restart-webserver

 -- Piotr Roszatycki <email address hidden> Sat, 27 Mar 2004 13:16:26 +0100

phpmyadmin (1:2.5.6-1) unstable; urgency=low

  * New upstream release.
  * Ignore missing /etc/phpmyadmin directory for postrm purge, close: #235696.
  * Danish debconf templates translation, closes: #234948.

 -- Piotr Roszatycki <email address hidden> Thu, 4 Mar 2004 17:16:56 +0100

phpmyadmin (2.5.6-rc2-1) unstable; urgency=low

  * New upstream release.
  * Removed conffiles /etc/phpmyadmin/{header,footer}.inc.php. They are
    not conffiles for a long time. Closes: #232557, #231880.
  * Brazilian Portuguese debconf templates translation, closes: #231713.
  * French debconf templates translation, closes: #220804.
  * Japanese po-debconf template translation, closes: #222282.

 -- Piotr Roszatycki <email address hidden> Sun, 22 Feb 2004 13:14:00 +0100

phpmyadmin (2.5.6-rc1-1) unstable; urgency=high

  * New upstream release.
  * Security fix: possible attack against export.php, see
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0129,
    closes: #231050.

 -- Piotr Roszatycki <email address hidden> Wed, 4 Feb 2004 12:34:11 +0100

phpmyadmin (2.5.5-pl1-2) unstable; urgency=low

  * Restored upstream release notes.

 -- Piotr Roszatycki <email address hidden> Tue, 3 Feb 2004 15:33:54 +0100

phpmyadmin (2.5.5-pl1-1) unstable; urgency=low

  * New upstream release.
  * Depends php4 or php4-cgi (>= 4.1.0) and suggests mysql-server (>= 3.23.36).

 -- Piotr Roszatycki <email address hidden> Wed, 28 Jan 2004 11:17:25 +0100

phpmyadmin (2.5.4-2) unstable; urgency=low

  * Call modules-config rather than writing directly to modules.conf.
  * Recommends: apache (>= 1.3.29.0.1-1), php4, php4-mysql
  * Update Russian translation, closes: #221827.

 -- Piotr Roszatycki <email address hidden> Fri, 19 Dec 2003 18:58:27 +0100

phpmyadmin (2.5.4-1) unstable; urgency=low

  * New official unstable release.
  * Fixed apache.conf with IfModule directive.
  * Closes bugs with pending tag:
    o Fixed problem with password changes, closes: #216467
    o Fixed print view for one table, closes: #149172
    o Fixed grants for table contained backslash in its name, closes: #149416
    o Can login with empty password, closes: #171784
    o apache.conf includes DirectoryIndex directive, closes: #217100
    o Can copy user grants/permissions to other user, closes: #152807
    o Backs to browse listing after edting, closes: #168980

 -- Piotr Roszatycki <email address hidden> Fri, 7 Nov 2003 11:42:44 +0100

phpmyadmin (2.5.4-0.4) experimental; urgency=low

  * Fixed another ucf bug.

 -- Piotr Roszatycki <email address hidden> Thu, 6 Nov 2003 19:45:31 +0100

phpmyadmin (2.5.4-0.3) experimental; urgency=low

  * ucf should be called on "configure" action. YADA relative problem.

 -- Piotr Roszatycki <email address hidden> Tue, 4 Nov 2003 13:21:29 +0100

phpmyadmin (2.5.4-0.2) experimental; urgency=low

  * modules-config hangs up if postinst uses debconf. Write to modules.conf
    directly.

 -- Piotr Roszatycki <email address hidden> Fri, 31 Oct 2003 17:21:10 +0100

phpmyadmin (2.5.4-0.1) experimental; urgency=low

  * New upstream release.
  * ucf handles configuration files.
  * Don't use wwwconfig-common.
  * Handle Apache2 webserver.
  * Works with new DebConfized Apache package.

 -- Piotr Roszatycki <email address hidden> Tue, 28 Oct 2003 15:45:34 +0100

phpmyadmin (2.5.3-1) unstable; urgency=low

  * New upstream release.

 -- Piotr Roszatycki <email address hidden> Mon, 8 Sep 2003 10:37:07 +0200

phpmyadmin (2.5.2-pl1-1) unstable; urgency=low

  * New upstrem release.
  * NEWS.Debian renamed to NEWS, closes: #204901.

 -- Piotr Roszatycki <email address hidden> Mon, 11 Aug 2003 22:21:18 +0200

phpmyadmin (2.5.2-2) unstable; urgency=high

  * The upstream also fixes XSS vulnerabilities, information
    encoding weakness and transversal directory attack. This was
    mentioned in Debian.NEWS file only, not changelog.Debian file.
    See http://www.securityfocus.com/archive/1/325641. Closes: #203092.
  * CVS fix: another patch for path disclosure problem.
  * CVS fix: a user could not edit his own global privileges.

 -- Piotr Roszatycki <email address hidden> Mon, 28 Jul 2003 09:39:11 +0200

phpmyadmin (2.5.2-1) unstable; urgency=low

  * New upstream release
  * French debconf translation, closes: #200724
  * Generates /etc/phpmyadmin/blowfish_secret.inc.php in postinst script.

 -- Piotr Roszatycki <email address hidden> Thu, 24 Jul 2003 10:50:01 +0200

phpmyadmin (2.5.1-1) unstable; urgency=high

  * New upstream release
  * Fixes security problem. Prevent transversal directory attacks and remote
    local directory listing with discovering directory content.

 -- Piotr Roszatycki <email address hidden> Sat, 28 Jun 2003 21:57:23 +0200

phpmyadmin (2.4.0-2) unstable; urgency=high

  * Fixes bug introduced by previous fix. I don't know how I could upload
    this crap. Sorry. Closes: #184214, #184544

 -- Piotr Roszatycki <email address hidden> Thu, 13 Mar 2003 02:14:05 +0100

phpmyadmin (2.4.0-1) unstable; urgency=low

  * New upstream release

 -- Piotr Roszatycki <email address hidden> Mon, 10 Mar 2003 19:29:09 +0100

phpmyadmin (2.3.3pl1-1) unstable; urgency=low

  * New upstream release
  * phpMyAdmin can login without password and shows connection errors.

 -- Piotr Roszatycki <email address hidden> Thu, 5 Dec 2002 12:01:54 +0100

phpmyadmin (2.3.2-4) unstable; urgency=low

  * Don't insert NULL value if textarea is not empty. Fix from CVS snapshot,
    closes: #168979

 -- Piotr Roszatycki <email address hidden> Mon, 18 Nov 2002 19:17:14 +0100

phpmyadmin (2.3.2-3) unstable; urgency=low

  * Missing libraries, closes: #166698

 -- Piotr Roszatycki <email address hidden> Mon, 4 Nov 2002 15:43:58 +0100

phpmyadmin (2.3.2-2) unstable; urgency=low

  * Missing translators.html

 -- Piotr Roszatycki <email address hidden> Thu, 17 Oct 2002 10:32:49 +0200

phpmyadmin (2.3.2-1) unstable; urgency=low

  * New upstream release, closes: #157915
    + phpMyAdmin showed that the one field is PRIMARY key even if no field
      was PRIMARY, closes: #144362
    + Can dump table and field names with backquotes, closes: #144513
    + Fixed Russian translation, closes: #144617
    + Cookie path is autodetected, closes: #155108
  * Now the absolute URI is autodetected, closes: #147714
  * Spanish DebConf template, closes: #153071

 -- Piotr Roszatycki <email address hidden> Fri, 11 Oct 2002 12:46:29 +0200

phpmyadmin (2.2.6-1) unstable; urgency=low

  * New upstream release

 -- Piotr Roszatycki <email address hidden> Mon, 22 Apr 2002 17:01:39 +0200

phpmyadmin (2.2.5-2.2.6-rc2-1) unstable; urgency=low

  * New upstream release
  * Fixed wwwconfig-common stuff, closes: #139986

 -- Piotr Roszatycki <email address hidden> Thu, 18 Apr 2002 11:44:44 +0200

phpmyadmin (2.2.5-2.2.6-rc1-2) unstable; urgency=low

  * Fixed postrm for debconf if package is not configured yet.

 -- Piotr Roszatycki <email address hidden> Fri, 12 Apr 2002 12:12:22 +0200

phpmyadmin (2.2.5-2.2.6-rc1-1) unstable; urgency=low

  * New upstream release
  * Russian debconf template, closes: #137674

 -- Piotr Roszatycki <email address hidden> Thu, 11 Apr 2002 16:48:00 +0200

phpmyadmin (2.2.3-1) unstable; urgency=low

  * New upstream release

 -- Piotr Roszatycki <email address hidden> Tue, 8 Jan 2002 13:02:45 +0100

phpmyadmin (2.2.2-2.2.3-dev-20011218-1) unstable; urgency=low

  * New upstream release (CVS snapshot)
  * This upstream release implements cookie based authentication. Finally :)
  * Fixes 'Query empty' bug when ordering by a column, closes: #123459
  * Fixes spelling error in description, closes: #125243
  * Removed invalid command for PHP3 from apache.conf, closes: #122941

 -- Piotr Roszatycki <email address hidden> Mon, 17 Dec 2001 16:17:11 +0100

phpmyadmin (2.2.1-2.2.2-rc1-2) unstable; urgency=low

  * Works with error_reporting=E_ALL, closes: #121328
  * Turn on register_globals in apache.conf

 -- Piotr Roszatycki <email address hidden> Tue, 27 Nov 2001 11:10:59 +0100

phpmyadmin (2.2.1-2.2.2-rc1-1) unstable; urgency=medium

  * New upstream release, closes: #118716
  * New upstream fixes several security problems.

 -- Piotr Roszatycki <email address hidden> Wed, 21 Nov 2001 12:13:07 +0100

phpmyadmin (2.2.0-4) unstable; urgency=low

  * Missing select_box() function added, required for multiserver config.

 -- Piotr Roszatycki <email address hidden> Mon, 1 Oct 2001 12:38:08 +0200

phpmyadmin (2.2.0-3) unstable; urgency=low

  * User can login even if (s)he doesn't have priviliges to mysql
    database, really closes: #112099
  * New yada, package should build from source.
  * Remove CVS directories.

 -- Piotr Roszatycki <email address hidden> Tue, 18 Sep 2001 15:57:25 +0200

phpmyadmin (2.2.0-2) unstable; urgency=low

  * Fixed typo in lib.inc.php, closes: #112099
  * Compatibility with potato's mysql server
  * Frameset is now resizable, applied patch from CVS

 -- Piotr Roszatycki <email address hidden> Tue, 18 Sep 2001 14:07:59 +0200

phpmyadmin (2.2.0-1) unstable; urgency=high

  * New upstream release, closes: #70086, #104515
  * Upstream changed to SourceForge project (http://phpmyadmin.sf.net).
  * Security update, see SecurityFocus.
  * Suggests: mysql-server, closes: #67547
  * DebConf and wwwconfig-common for automatic webserver reconfiguration.

 -- Piotr Roszatycki <email address hidden> Fri, 31 Aug 2001 12:23:04 +0200

phpmyadmin (2.1.0.1-5) unstable; urgency=low

  * Fixed edit after select action, thanks Werner Ammon.
  * Fixed german translation.

 -- Piotr Roszatycki <email address hidden> Mon, 9 Jul 2001 17:37:46 +0200

phpmyadmin (2.1.0.1-4) unstable; urgency=high

  * Security update, see: http://securityfocus.com/vdb/bottom.html?vid=2966
  * Compiled with phpMyAdmin-SecureReality.diff patch from
    http://www.securereality.com.au/srpre00001.html
  * Added charset info to left.php

 -- Piotr Roszatycki <email address hidden> Mon, 9 Jul 2001 12:51:00 +0200

phpmyadmin (2.1.0.1-3) unstable; urgency=low

  * German template file, closes: #99332

 -- Piotr Roszatycki <email address hidden> Thu, 31 May 2001 08:59:43 +0200

phpmyadmin (2.1.0.1-2) unstable; urgency=low

  * Clean up debian/packages
  * Renamed .php3 to .php, see Debconf note.
  * Purging /etc/phpmyadmin in postrm

 -- Piotr Roszatycki <email address hidden> Mon, 21 May 2001 12:45:34 +0200

phpmyadmin (2.1.0.1-1) unstable; urgency=low

  * New upstream release from unofficial source, see copyright info,
    closes: #82506
  * New yada
  * Removed dependency on libmysqlclient

 -- Piotr Roszatycki <email address hidden> Mon, 29 Jan 2001 17:12:30 +0000

phpmyadmin (2.1.0-1) unstable; urgency=low

  * php4-cgi added to Depends
  * Standards-Version: 3.1.0
  * New upstream release

 -- Piotr Roszatycki <email address hidden> Tue, 10 Oct 2000 18:17:07 +0200

phpmyadmin (2.0.5-2) unstable; urgency=low

  * Suggests: mysql-doc
  * Load mysql.so module if not loaded
  * Set charset in META tag
  * Minor changes in debian/ directory

 -- Piotr Roszatycki <email address hidden> Mon, 10 Jul 2000 12:43:41 +0200

phpmyadmin (2.0.5-1) frozen unstable; urgency=medium

  * This upstream source allows creating tables, closes: #53751
  * New upstream release

 -- Piotr Roszatycki <email address hidden> Thu, 10 Feb 2000 19:09:11 +0100

phpmyadmin (2.0.4-3) unstable; urgency=low

  * Polish translation in polish.inc.php3
  * Slightly modified README.Debian
  * New feature: logout.php3; required by Netscape browser.
  * Suggests: mysql-doc; modified default conffile and sources.
  * Depends: php4, php4-mysql; a minor changes in debian/*.dpatch files.

 -- Piotr Roszatycki <email address hidden> Sat, 27 Nov 1999 14:32:24 +0100

phpmyadmin (2.0.4-2) unstable; urgency=low

  * yada 0.8
  * moved to main archive

 -- Piotr Roszatycki <email address hidden> Sat, 6 Nov 1999 23:33:59 +0100

phpmyadmin (2.0.4-1) unstable; urgency=low

  * /usr/doc/... symlink.
  * Removed some debhelper's constructions
  * README.Debian in dpatch file.
  * New option in config file: verbose.
  * New language: Portuguese.
  * New upstream release.

 -- Piotr Roszatycki <email address hidden> Mon, 18 Oct 1999 19:09:48 +0200

phpmyadmin (2.0.3-1) unstable; urgency=low

  * Initial Debian version.

 -- Piotr Roszatycki <email address hidden> Wed, 25 Aug 1999 21:32:14 +0200

Changed in phpmyadmin:
importance: Undecided → Wishlist
Revision history for this message
Daniel Holbach (dholbach) wrote : ACK of sync request

ACKed.

Changed in phpmyadmin:
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

Getting binaries for intrepid...
[Updating] phpmyadmin (4:2.11.3-1ubuntu1 [Ubuntu] < 4:2.11.6-1 [Debian])
 * Trying to add phpmyadmin...
  - <phpmyadmin_2.11.6-1.dsc: downloading from http://ftp.debian.org/debian/>
  - <phpmyadmin_2.11.6.orig.tar.gz: downloading from http://ftp.debian.org/debian/>
  - <phpmyadmin_2.11.6-1.diff.gz: downloading from http://ftp.debian.org/debian/>
I: phpmyadmin [universe] -> phpmyadmin_4:2.11.3-1ubuntu1 [universe].

Changed in phpmyadmin:
status: Confirmed → Fix Released
Revision history for this message
David McNeill (davemc) wrote :

Will this sync request also apply to Hardy, which is still stuck on 2.11.3, which suffers from this bug..

https://sourceforge.net/tracker/index.php?func=detail&aid=2126028&group_id=23067&atid=377408

Revision history for this message
James Westby (james-w) wrote :

Hi David,

It won't be synced to Hardy as well.

However, if the bug fix is important enough the fix can be backported
to the stable version.

Thanks,

James

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.