Comment 7 for bug 387215

phpmyadmin (4:2.11.8.1-1ubuntu0.1) intrepid-security; urgency=low

  * SECURITY UPDATE: remote code execution via PHP sequences in sort_by
    parameter
    - debian/patches/041-security-CVE-2008-4096.dpatch: add new
      PMA_usort_comparison_callback in libraries/database_interface.lib.php
    - CVE-2008-4096
  * SECURITY UPDATE: cross-site scripting via NUL byte
    - debian/patches/042-security-CVE-2008-4326.dpatch: remove NUL bytes
      in libraries/js_escape.lib.php.
    - CVE-2008-4326
  * SECURITY UPDATE: cross-site scripting in pmd_pdf.php when
    register_globals is enabled
    - debian/patches/043-security-CVE-2008-4775.dpatch: use
      PMA_generate_common_hidden_inputs in pmd_pdf.php.
    - CVE-2008-4775
  * SECURITY UPDATE: code execution via CSRF vulnerability (LP: #306699)
    - debian/patches/044-security-CVE-2008-5621.dpatch: use PMA_backquote
      instead of PMA_sqlAddslashes in libraries/db_table_exists.lib.php.
    - CVE-2008-5621
  * SECURITY UPDATE: code injection via multiple cross-site scripting
    vulnerabilities in display_export.lib.php
    - debian/patches/045-security-CVE-2009-1150.dpatch: strip special chars
      in libraries/display_export.lib.php.
    - CVE-2009-1150
  * SECURITY UPDATE: code injection from PHP code in a configuration file
    via the save action.
    - debian/patches/046-security-CVE-2009-1151.dpatch: filter $key in
      scripts/setup.php.
    - CVE-2009-1151

 -- Marc Deslauriers <email address hidden> Sun, 05 Jul 2009 10:16:05 -0400