diff -Nru phpmyadmin-3.3.2/debian/changelog phpmyadmin-3.3.2/debian/changelog
--- phpmyadmin-3.3.2/debian/changelog	2010-04-14 10:56:38.000000000 +0200
+++ phpmyadmin-3.3.2/debian/changelog	2011-07-26 14:37:14.000000000 +0200
@@ -1,3 +1,21 @@
+phpmyadmin (4:3.3.2-2) unstable; urgency=medium
+
+  * SECURITY UPDATE: Possible session manipulation in Swekey authentication. 
+    - libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php: fix based on upstream commit (6e6e129f26295c83d67b74e202628a4b8bc49e54). Thanks to Herman van Rink <rink@initfour.nl>.
+    - CVE-2011-2505
+  * SECURITY UPDATE: Possible code injection in setup script in case session variables are compromised. 
+    - setup/lib/ConfigFile.class.php: fix based on upstream commit (2e01647949df937040e73a94ce0bac0daecbdcf4). Thanks to Herman van Rink <rink@initfour.nl>.
+    - CVE-2011-2506
+  * SECURITY UPDATE: Regular expression quoting issue in Synchronize code. 
+    - libraries/server_synchronize.lib.php: fix based on upstream commit (ca74f480f119a53ef07ca40d2ab28f063cc89ec9). Thanks to Herman van Rink <rink@initfour.nl>.
+    - CVE-2011-2507
+  * SECURITY UPDATE: Possible directory traversal. 
+    - libraries/display_tbl.lib.php: fix based on upstream commit (5ee357a572866e730d83f56d6187a67c7c48e523). Thanks to Herman van Rink <rink@initfour.nl>.
+    - CVE-2011-2508
+  * Fixed several vulnerabilities (closes: #806788).
+
+ -- Adam Števko <adam.stevko@digmia.com>  Mon, 25 Jul 2011 20:44:42 +0200
+
 phpmyadmin (4:3.3.2-1) unstable; urgency=medium
 
   * New upstream release (closes: #577753).
diff -Nru phpmyadmin-3.3.2/debian/patches/debian-changes-4:3.3.2-2 phpmyadmin-3.3.2/debian/patches/debian-changes-4:3.3.2-2
--- phpmyadmin-3.3.2/debian/patches/debian-changes-4:3.3.2-2	1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-3.3.2/debian/patches/debian-changes-4:3.3.2-2	2011-07-26 14:41:18.000000000 +0200
@@ -0,0 +1,186 @@
+Description: Upstream changes introduced in version 4:3.3.2-2
+ This patch has been created by dpkg-source during the package build.
+ Here's the last changelog entry, hopefully it gives details on why
+ those changes were made:
+ .
+ phpmyadmin (4:3.3.2-2) unstable; urgency=medium
+ .
+   * SECURITY UPDATE: Possible session manipulation in Swekey authentication.
+     - libraries/auth/swekey/swekey.auth.lib.php b/libraries/auth/swekey/swekey.auth.lib.php: fix based on upstream commit (6e6e129f26295c83d67b74e202628a4b8bc49e54). Thanks to Herman van Rink <rink@initfour.nl>.
+     - CVE-2011-2505
+   * SECURITY UPDATE: Possible code injection in setup script in case session variables are compromised.
+     - setup/lib/ConfigFile.class.php: fix based on upstream commit (2e01647949df937040e73a94ce0bac0daecbdcf4). Thanks to Herman van Rink <rink@initfour.nl>.
+     - CVE-2011-2506
+   * SECURITY UPDATE: Regular expression quoting issue in Synchronize code.
+     - libraries/server_synchronize.lib.php: fix based on upstream commit (ca74f480f119a53ef07ca40d2ab28f063cc89ec9). Thanks to Herman van Rink <rink@initfour.nl>.
+     - CVE-2011-2507
+   * SECURITY UPDATE: Possible directory traversal.
+     - libraries/display_tbl.lib.php: fix based on upstream commit (5ee357a572866e730d83f56d6187a67c7c48e523). Thanks to Herman van Rink <rink@initfour.nl>.
+     - CVE-2011-2508
+   * Fixed several vulnerabilities (closes: #806788).
+ .
+ The person named in the Author field signed this changelog entry.
+Author: Adam Števko <adam.stevko@digmia.com>
+Bug-Debian: http://bugs.debian.org/806788
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- phpmyadmin-3.3.2.orig/db_structure.php
++++ phpmyadmin-3.3.2/db_structure.php
+@@ -13,7 +13,6 @@ require_once './libraries/common.inc.php
+ require_once './libraries/Table.class.php';
+ 
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ 
+ /**
+  * Prepares the tables list if the user where not redirected to this script
+--- phpmyadmin-3.3.2.orig/Documentation.html
++++ phpmyadmin-3.3.2/Documentation.html
+@@ -253,10 +253,20 @@ $cfg['Servers'][$i]['auth_type']     = '
+                 <a href="setup/">Setup Script</a>. First you must
+                 manually create a folder <tt>config</tt> in the phpMyAdmin
+                 directory. This is a security measure. On a Linux/Unix system you
+-                can use the following command:
++                can use the following commands:
+ <pre>
+-/usr/sbin/pma-configure
++cd phpMyAdmin
++mkdir config                        # create directory for saving
++chmod o+rw config                   # give it world writable permissions
++</pre>
++                And to edit an existing configuration, copy it over first:
++<pre>
++cp config.inc.php config/           # copy current configuration for editing
++chmod o+w config/config.inc.php     # give it world writable permissions
+ </pre>
++                On other platforms, simply create the folder and ensure that your
++                web server has read and write access to it. <a href="#faq1_26">FAQ
++                1.26</a> can help with this.<br /><br />
+ 
+                 Next, open <tt><a href="setup/">setup/</a>
+                 </tt>in your browser. Note that <strong>changes are not saved to
+@@ -269,10 +279,13 @@ $cfg['Servers'][$i]['auth_type']     = '
+                 or use the <tt>Download</tt> link to save the config file locally
+                 and upload (via FTP or some similar means) to the proper location.<br /><br />
+ 
+-                Once the file has been saved, the permissions must be reset, again
++                Once the file has been saved, it must be moved out of the <tt>
++                config/</tt> directory and the permissions must be reset, again
+                 as a security measure:
+ <pre>
+-/usr/sbin/pma-secure
++mv config/config.inc.php .         # move file to current directory
++chmod o-rw config.inc.php          # remove world read and write permissions
++rm -rf config                      # remove not needed directory
+ </pre>
+                 Now the file is ready to be used. You can choose to review or edit
+                 the file with your favorite editor, if you prefer to set some
+--- phpmyadmin-3.3.2.orig/tbl_replace.php
++++ phpmyadmin-3.3.2/tbl_replace.php
+@@ -415,7 +415,6 @@ $GLOBALS['js_include'][] = 'tbl_change.j
+ $GLOBALS['js_include'][] = 'functions.js';
+ // in case we call sql.php which needs those:
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ 
+ $active_page = $goto_include;
+ 
+--- phpmyadmin-3.3.2.orig/main.php
++++ phpmyadmin-3.3.2/main.php
+@@ -12,7 +12,6 @@
+ define('PMA_MOORAINBOW', true);
+ require_once './libraries/common.inc.php';
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ $GLOBALS['js_include'][] = 'mooRainbow/mooRainbow.js';
+ $GLOBALS['js_include'][] = 'mootools-domready-rainbow.js';
+ 
+--- phpmyadmin-3.3.2.orig/tbl_select.php
++++ phpmyadmin-3.3.2/tbl_select.php
+@@ -20,7 +20,6 @@ require_once './libraries/mysql_charsets
+ 
+ $GLOBALS['js_include'][] = 'tbl_change.js';
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ 
+ if ($GLOBALS['cfg']['PropertiesIconic'] == true) {
+     $titles['Browse'] =
+--- phpmyadmin-3.3.2.orig/tbl_structure.php
++++ phpmyadmin-3.3.2/tbl_structure.php
+@@ -15,7 +15,6 @@ require_once './libraries/mysql_charsets
+ require_once './libraries/relation.lib.php';
+ 
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ 
+ /**
+  * handle multiple field commands if required
+--- phpmyadmin-3.3.2.orig/sql.php
++++ phpmyadmin-3.3.2/sql.php
+@@ -16,7 +16,6 @@ require_once './libraries/check_user_pri
+ require_once './libraries/bookmark.lib.php';
+ 
+ $GLOBALS['js_include'][] = 'mootools.js';
+-$GLOBALS['js_include'][] = 'mootools-more.js';
+ 
+ /**
+  * Defines the url to return to in case of error in a sql statement
+--- phpmyadmin-3.3.2.orig/setup/index.php
++++ phpmyadmin-3.3.2/setup/index.php
+@@ -36,7 +36,6 @@ require './libraries/header_http.inc.php
+ <link href="../favicon.ico" rel="shortcut icon" type="image/x-icon" />
+ <link href="styles.css" rel="stylesheet" type="text/css" />
+ <script type="text/javascript" src="../js/mootools.js"></script>
+-<script type="text/javascript" src="../js/mootools-more.js"></script>
+ <script type="text/javascript" src="scripts.js"></script>
+ </head>
+ <body>
+--- phpmyadmin-3.3.2.orig/libraries/vendor_config.php
++++ phpmyadmin-3.3.2/libraries/vendor_config.php
+@@ -15,30 +15,30 @@
+  * Path to changelog file, can be gzip compressed. Useful when you want to
+  * have documentation somewhere else, eg. /usr/share/doc.
+  */
+-define('CHANGELOG_FILE', '/usr/share/doc/phpmyadmin/changelog.gz');
++define('CHANGELOG_FILE', './ChangeLog');
+ 
+ /**
+  * Path to license file. Useful when you want to have documentation somewhere
+  * else, eg. /usr/share/doc.
+  */
+-define('LICENSE_FILE', '/usr/share/doc/phpmyadmin/copyright');
++define('LICENSE_FILE', './LICENSE');
+ 
+ /**
+  * Path to config file generated using setup script.
+  */
+-define('SETUP_CONFIG_FILE', '/var/lib/phpmyadmin/config.inc.php');
++define('SETUP_CONFIG_FILE', './config/config.inc.php');
+ 
+ /**
+  * Whether setup requires writable directory where config
+  * file will be generated.
+  */
+-define('SETUP_DIR_WRITABLE', false);
++define('SETUP_DIR_WRITABLE', true);
+ 
+ /**
+  * Whether to skip mtime check on config file and load it on every request.
+  * This has slight performance drawback, but it is the only way to handle
+  * inclusions of other php scripts from config.
+  */
+-define('SKIP_MTIME_CONFIG_CHECK', true);
++define('SKIP_MTIME_CONFIG_CHECK', false);
+ 
+ ?>
diff -Nru phpmyadmin-3.3.2/debian/patches/series phpmyadmin-3.3.2/debian/patches/series
--- phpmyadmin-3.3.2/debian/patches/series	2010-04-14 10:31:35.000000000 +0200
+++ phpmyadmin-3.3.2/debian/patches/series	2011-07-26 14:40:21.000000000 +0200
@@ -1,3 +1,4 @@
 mootools.patch
 debian.patch
 doc.patch
+debian-changes-4:3.3.2-2
diff -Nru phpmyadmin-3.3.2/libraries/auth/swekey/swekey.auth.lib.php phpmyadmin-3.3.2/libraries/auth/swekey/swekey.auth.lib.php
--- phpmyadmin-3.3.2/libraries/auth/swekey/swekey.auth.lib.php	2010-04-14 00:33:31.000000000 +0200
+++ phpmyadmin-3.3.2/libraries/auth/swekey/swekey.auth.lib.php	2011-07-26 14:36:47.000000000 +0200
@@ -263,11 +263,11 @@
 	}
 }
 
-if (strstr($_SERVER['QUERY_STRING'],'session_to_unset') != false)
+if (!empty($_GET['session_to_unset']))
 {
     parse_str($_SERVER['QUERY_STRING']);
 	session_write_close();
-	session_id($session_to_unset);
+	session_id($_GET['session_to_unset']);
 	session_start();
 	$_SESSION = array();
 	session_write_close();
diff -Nru phpmyadmin-3.3.2/libraries/display_tbl.lib.php phpmyadmin-3.3.2/libraries/display_tbl.lib.php
--- phpmyadmin-3.3.2/libraries/display_tbl.lib.php	2010-04-14 00:33:31.000000000 +0200
+++ phpmyadmin-3.3.2/libraries/display_tbl.lib.php	2011-07-26 14:36:48.000000000 +0200
@@ -1220,7 +1220,7 @@
             if ($GLOBALS['cfgRelation']['mimework'] && $GLOBALS['cfg']['BrowseMIME']) {
 
                 if (isset($GLOBALS['mime_map'][$meta->name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation']) && !empty($GLOBALS['mime_map'][$meta->name]['transformation'])) {
-                    $include_file = $GLOBALS['mime_map'][$meta->name]['transformation'];
+                    $include_file = PMA_securePath($GLOBALS['mime_map'][$meta->name]['transformation']);
 
                     if (file_exists('./libraries/transformations/' . $include_file)) {
                         $transformfunction_name = str_replace('.inc.php', '', $GLOBALS['mime_map'][$meta->name]['transformation']);
diff -Nru phpmyadmin-3.3.2/libraries/server_synchronize.lib.php phpmyadmin-3.3.2/libraries/server_synchronize.lib.php
--- phpmyadmin-3.3.2/libraries/server_synchronize.lib.php	2010-04-14 00:33:31.000000000 +0200
+++ phpmyadmin-3.3.2/libraries/server_synchronize.lib.php	2011-07-26 14:36:47.000000000 +0200
@@ -624,7 +624,7 @@
         $Create_Query = PMA_DBI_fetch_value("SHOW CREATE TABLE " . PMA_backquote($src_db) . '.' . PMA_backquote($uncommon_tables[$table_index]), 0, 1, $src_link);
 
         // Replace the src table name with a `dbname`.`tablename`
-        $Create_Table_Query = preg_replace('/' . PMA_backquote($uncommon_tables[$table_index]) . '/', 
+        $Create_Table_Query = preg_replace('/' . preg_quote(PMA_backquote($uncommon_tables[$table_index]), '/') . '/',  
                                             PMA_backquote($trg_db) . '.' .PMA_backquote($uncommon_tables[$table_index]),
                                             $Create_Query,
                                             $limit = 1
diff -Nru phpmyadmin-3.3.2/setup/lib/ConfigFile.class.php phpmyadmin-3.3.2/setup/lib/ConfigFile.class.php
--- phpmyadmin-3.3.2/setup/lib/ConfigFile.class.php	2010-04-14 00:33:31.000000000 +0200
+++ phpmyadmin-3.3.2/setup/lib/ConfigFile.class.php	2011-07-26 14:36:48.000000000 +0200
@@ -286,7 +286,7 @@
         if ($this->getServerCount() > 0) {
             $ret .= "/* Servers configuration */$crlf\$i = 0;" . $crlf . $crlf;
             foreach ($c['Servers'] as $id => $server) {
-                $ret .= '/* Server: ' . strtr($this->getServerName($id), '*/', '-') . " [$id] */" . $crlf
+                $ret .= '/* Server: ' . strtr($this->getServerName($id) . " [$id] ", '*/', '-') . "*/" . $crlf
                     . '$i++;' . $crlf;
                 foreach ($server as $k => $v) {
                     $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
diff -Nru phpmyadmin-3.3.2/vendor_config.php.rej phpmyadmin-3.3.2/vendor_config.php.rej
--- phpmyadmin-3.3.2/vendor_config.php.rej	1970-01-01 01:00:00.000000000 +0100
+++ phpmyadmin-3.3.2/vendor_config.php.rej	2011-07-26 14:38:12.000000000 +0200
@@ -0,0 +1,38 @@
+--- vendor_config.php
++++ vendor_config.php
+@@ -15,30 +15,30 @@
+  * Path to changelog file, can be gzip compressed. Useful when you want to
+  * have documentation somewhere else, eg. /usr/share/doc.
+  */
+-define('CHANGELOG_FILE', '/usr/share/doc/phpmyadmin/changelog.gz');
++define('CHANGELOG_FILE', './ChangeLog');
+ 
+ /**
+  * Path to license file. Useful when you want to have documentation somewhere
+  * else, eg. /usr/share/doc.
+  */
+-define('LICENSE_FILE', '/usr/share/doc/phpmyadmin/copyright');
++define('LICENSE_FILE', './LICENSE');
+ 
+ /**
+  * Path to config file generated using setup script.
+  */
+-define('SETUP_CONFIG_FILE', '/var/lib/phpmyadmin/config.inc.php');
++define('SETUP_CONFIG_FILE', './config/config.inc.php');
+ 
+ /**
+  * Whether setup requires writable directory where config
+  * file will be generated.
+  */
+-define('SETUP_DIR_WRITABLE', false);
++define('SETUP_DIR_WRITABLE', true);
+ 
+ /**
+  * Whether to skip mtime check on config file and load it on every request.
+  * This has slight performance drawback, but it is the only way to handle
+  * inclusions of other php scripts from config.
+  */
+-define('SKIP_MTIME_CONFIG_CHECK', true);
++define('SKIP_MTIME_CONFIG_CHECK', false);
+ 
+ ?>