Fix CVE-2010-4480 and CVE-2010-4481

These are low priority security fixes, so I'm waiting for the 3.3.9 release to Debian experimental which will hopefully include these (and then be sync'd to natty) before subscribing security sponsors for this.

Uploaded 4:3.3.7-3build0.10.10.1 to the security PPA.

phpmyadmin (4:3.3.7-3build0.10.10.1) maverick-security; urgency=low

  * fake sync from Debian

phpmyadmin (4:3.3.7-3) unstable; urgency=high

  * Address two security issues (Closes: #608290):
  - It was possible to display arbitrary text and link to external site
    using parameters passed to particular script
    (CVE-2010-4480, PMASA-2010-9).
  - Phpinfo could be visible to not logged in users if this feature was
    enabled (minor issue; CVE-2010-4481, PMASA-2010-10).

I'm actually working on adding this on top of 3.3.9 and then uploading.

This bug was fixed in the package phpmyadmin - 4:3.3.9-1ubuntu1

---------------
phpmyadmin (4:3.3.9-1ubuntu1) natty; urgency=low

  * SECURITY UPDATE: Unvalidated input on error page (LP: #696857)
    - debian/patches/CVE-2010-4480.patch: Don't use a redirect to the error page
    - CVE-2010-4480
  * SECURITY UPDATE: Possible information disclosure of phpinfo (same bug)
    - debian/patches/CVE-2010-4481.patch: Don't skip authentication for
      PMA_MINIMUM_COMMON
    - CVE-2010-4481

phpmyadmin (4:3.3.9-1) experimental; urgency=low

  * New upstream release.
  * Fix connection settings when using dbconfig with remote MySQL server.
  * Log when dbconfig generated settings are not accessible.
  * Add Slovak debconf translation (Closes: #608702).
  * Update Danish debconf translation (Closes: #608941).
 -- Micah Gersten <email address hidden> Wed, 05 Jan 2011 23:42:17 -0600

Debian has corrected phpmyadmin in Lenny and Squeeze:

http://www.debian.org/security/2010/dsa-2139

Nothing in Ubuntu Lucid. :(

This is causing a SecurityMetrics scan failure for me.
Though even if it's fixed, I'm afraid the scan may fail as they just look at the version number. :-(

Thank you for reporting this bug to Ubuntu. karmic has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against karmic is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures