diff -u phpmyadmin-2.11.3/debian/patches/00list phpmyadmin-2.11.3/debian/patches/00list
--- phpmyadmin-2.11.3/debian/patches/00list
+++ phpmyadmin-2.11.3/debian/patches/00list
@@ -4,0 +5,2 @@
+051_CVE-2008-1567
+052_CVE-2008-1924
diff -u phpmyadmin-2.11.3/debian/changelog phpmyadmin-2.11.3/debian/changelog
--- phpmyadmin-2.11.3/debian/changelog
+++ phpmyadmin-2.11.3/debian/changelog
@@ -1,3 +1,19 @@
+phpmyadmin (4:2.11.3-1ubuntu1.1) hardy-security; urgency=low
+
+  * SECURITY UPDATE: sensitive data in session files, reading of arbitrary
+    files by users with the CREATE privilege. (LP: #227283)
+    - debian/patches/051_CVE-2008-1567.dpatch: Add. Don't save sensitive
+      information in session files. Patch from upstream SVN.
+    - debian/patches/052_CVE-2008-1924.dpatch: Add. Confirm that the upload
+      directory is set. Patch from upstream SVN.
+    - References:
+      + CVE-2008-1567
+      + CVE-2008-1924
+      + PMASA-2008-2
+      + PMASA-2008-3
+
+ -- William Grant <william@qeuni.net>  Fri, 30 May 2008 18:43:32 +1000
+
 phpmyadmin (4:2.11.3-1ubuntu1) hardy; urgency=low
 
   * SECURITY UPDATE:
only in patch2:
unchanged:
--- phpmyadmin-2.11.3.orig/debian/patches/051_CVE-2008-1567.dpatch
+++ phpmyadmin-2.11.3/debian/patches/051_CVE-2008-1567.dpatch
@@ -0,0 +1,76 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 051_CVE-2008-1567.dpatch by William Grant <william@qeuni.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: PMASA-2008-2
+
+@DPATCH@
+diff -urNad phpmyadmin-2.11.3~/libraries/Config.class.php phpmyadmin-2.11.3/libraries/Config.class.php
+--- phpmyadmin-2.11.3~/libraries/Config.class.php	2007-12-08 23:47:13.000000000 +1100
++++ phpmyadmin-2.11.3/libraries/Config.class.php	2008-05-30 18:41:24.000000000 +1000
+@@ -885,8 +885,9 @@
+      */
+     function enableBc()
+     {
+-        $GLOBALS['cfg']             =& $this->settings;
+-        $GLOBALS['default_server']  =& $this->default_server;
++        $GLOBALS['cfg']             = $this->settings;
++        $GLOBALS['default_server']  = $this->default_server;
++        unset($this->default_server);
+         $GLOBALS['collation_connection'] = $this->get('collation_connection');
+         $GLOBALS['is_upload']       = $this->get('enable_upload');
+         $GLOBALS['max_upload_size'] = $this->get('max_upload_size');
+diff -urNad phpmyadmin-2.11.3~/libraries/common.inc.php phpmyadmin-2.11.3/libraries/common.inc.php
+--- phpmyadmin-2.11.3~/libraries/common.inc.php	2007-12-08 23:47:13.000000000 +1100
++++ phpmyadmin-2.11.3/libraries/common.inc.php	2008-05-30 18:41:35.000000000 +1000
+@@ -465,26 +465,20 @@
+ /******************************************************************************/
+ /* parsing configuration file                         LABEL_parsing_config_file      */
+ 
+-if (empty($_SESSION['PMA_Config'])) {
+-    /**
+-     * We really need this one!
+-     */
+-    if (! function_exists('preg_replace')) {
+-        PMA_fatalError('strCantLoad', 'pcre');
+-    }
+-
+-    /**
+-     * @global PMA_Config $_SESSION['PMA_Config']
+-     */
+-    $_SESSION['PMA_Config'] = new PMA_Config('./config.inc.php');
+-
+-} elseif (version_compare(phpversion(), '5', 'lt')) {
+-    /**
+-     * @todo move all __wakeup() functionality into session.inc.php
+-     */
+-    $_SESSION['PMA_Config']->__wakeup();
++/**
++ * We really need this one!
++ */
++if (! function_exists('preg_replace')) {
++    PMA_fatalError('strCantLoad', 'pcre');
+ }
+ 
++/**
++ * @global PMA_Config $_SESSION['PMA_Config']
++ * force reading of config file, because we removed sensitive values
++ * in the previous iteration
++ */
++$_SESSION['PMA_Config'] = new PMA_Config('./config.inc.php');
++
+ if (!defined('PMA_MINIMUM_COMMON')) {
+     $_SESSION['PMA_Config']->checkPmaAbsoluteUri();
+ }
+@@ -895,6 +889,11 @@
+ 
+ } // end if !defined('PMA_MINIMUM_COMMON')
+ 
++// remove sensitive values from session
++$_SESSION['PMA_Config']->set('blowfish_secret', '');
++$_SESSION['PMA_Config']->set('Servers', '');
++$_SESSION['PMA_Config']->set('default_server', '');
++
+ if (!empty($__redirect) && in_array($__redirect, $goto_whitelist)) {
+     /**
+      * include subform target page
only in patch2:
unchanged:
--- phpmyadmin-2.11.3.orig/debian/patches/052_CVE-2008-1924.dpatch
+++ phpmyadmin-2.11.3/debian/patches/052_CVE-2008-1924.dpatch
@@ -0,0 +1,26 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## 052_CVE-2008-1924.dpatch by William Grant <william@qeuni.net>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: PMASA-2008-3
+
+@DPATCH@
+diff -urNad phpmyadmin-2.11.3~/libraries/File.class.php phpmyadmin-2.11.3/libraries/File.class.php
+--- phpmyadmin-2.11.3~/libraries/File.class.php	2007-12-08 23:47:13.000000000 +1100
++++ phpmyadmin-2.11.3/libraries/File.class.php	2008-05-30 18:42:49.000000000 +1000
+@@ -466,6 +466,8 @@
+      */
+     function setLocalSelectedFile($name)
+     {
++        if (empty($GLOBALS['cfg']['UploadDir'])) return false;
++
+         $this->setName(PMA_userDir($GLOBALS['cfg']['UploadDir']) . PMA_securePath($name));
+         if (! $this->isReadable()) {
+             $this->_error_message = $GLOBALS['strFileCouldNotBeRead'];
+@@ -875,4 +877,4 @@
+ 
+     }
+ }
+-?>
+\ No newline at end of file
++?>