Debian Bug report logs - #328501
CAN-2005-2869: Two XSS vulnerabilities

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: Moritz Muehlenhoff <jmm@inutil.org>

Date: Fri, 9 Sep 2005 11:03:01 UTC

Severity: important

Tags: fixed, patch, sarge, security

Found in version phpmyadmin/4:2.6.2-3

Fixed in versions phpmyadmin/4:2.6.4-pl1-1, 4:2.6.2-3sarge1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, security@debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#327345; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to security@debian.org, Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2005-2869: Two XSS vulnerabilities
Date: Fri, 09 Sep 2005 12:49:10 +0200
Package: phpmyadmin
Version: 4:2.6.2-3
Severity: important
Tags: security

Two Cross-Site-Scripting vulnerabilities have been found in phpmyadmin.
Please see http://secunia.com/advisories/16605 for more information.

Cheers,
         Moritz

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.29-vs1.2.10
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages phpmyadmin depends on:
ii  apache2-mpm-prefork [httpd]  2.0.54-5    traditional model for Apache2
ii  debconf                      1.4.30.13   Debian configuration management sy
ii  php4-cgi                     4:4.3.10-16 server-side, HTML-embedded scripti
ii  php4-mysql                   4:4.3.10-16 MySQL module for php4
pn  wwwconfig-common                         Not found.



Tags added: pending Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug 327345 cloned as bug 328501. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: pending Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security, sarge Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#328501; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #18 received at 328501@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
To: team@security.debian.org, 328501@bugs.debian.org
Subject: phpmyadmin: CAN-2005-2869
Date: Fri, 16 Sep 2005 15:55:36 +0200
[Message part 1 (text/plain, inline)]
Several Cross-Site-Scripting vulnerabilities have been found in phpmyadmin. 
The CAN-2005-2869 advisory reports the two of them. I've found four more 
vulnerabilities reported and fixed directly in phpMyAdmin's CVS.

I've attached the patch for phpmyadmin package from sarge release with 
backported patches. The additional modification is that the Debian package 
release number is included to the upstream version number, so it is clearly 
marked that this is modified source.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-
[phpmyadmin_2.6.2-3sarge1.diff (text/x-diff, attachment)]

Tags added: patch Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#328501; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #25 received at 328501@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
To: micah <micah@riseup.net>
Cc: 328501@bugs.debian.org
Subject: Re: Bug#328501: phpmyadmin: CAN-2005-2869
Date: Thu, 22 Sep 2005 16:39:06 +0200
On Thursday 22 of September 2005 16:29, micah wrote:
> Piotr,
>
> I notice that you fixed some of these issues in your most recent
> unstable upload, but the others which you identify below were not
> included... at least its not obvious from the unstable changelog, I
> assume that its the "four more vulnerabilities reported and fixed
> directly in phpMyAdmin's CVS"?

They are all fixed in 2.6.4 release. Try to grep on XSS for ChangeLog 
available at
http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/ChangeLog?rev=2.1272&view=auto

I didn't describe them in changelog for unstable release, beacuse the upstream 
did not describe, too.

The sarge backported package is described verbosely, beacuse the fixes are 
provided carefully in separated patches.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-



Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#328501; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to micah <micah@riseup.net>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #30 received at 328501@bugs.debian.org (full text, mbox):

From: micah <micah@riseup.net>
To: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
Cc: 328501@bugs.debian.org
Subject: Re: Bug#328501: phpmyadmin: CAN-2005-2869
Date: Fri, 23 Sep 2005 01:29:42 +0200
Piotr Roszatycki wrote:
> On Thursday 22 of September 2005 16:29, micah wrote:
> 
>>Piotr,
>>
>>I notice that you fixed some of these issues in your most recent
>>unstable upload, but the others which you identify below were not
>>included... at least its not obvious from the unstable changelog, I
>>assume that its the "four more vulnerabilities reported and fixed
>>directly in phpMyAdmin's CVS"?
> 
> 
> They are all fixed in 2.6.4 release. Try to grep on XSS for ChangeLog 
> available at
> http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/ChangeLog?rev=2.1272&view=auto
> 
> I didn't describe them in changelog for unstable release, beacuse the upstream 
> did not describe, too.
> 
> The sarge backported package is described verbosely, beacuse the fixes are 
> provided carefully in separated patches.
> 

It would be nice to note these in unstable (especially CAN numbers) in 
the future, as those of us doing testing-security track these sorts of 
things and will continue to ping you asking you about this sort of thing 
because it is not obvious in the changelog.

micah



Information forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#328501; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>:
Extra info received and forwarded to list. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #35 received at 328501@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl>
To: micah <micah@riseup.net>, 328501@bugs.debian.org
Subject: Re: Bug#328501: phpmyadmin: CAN-2005-2869
Date: Fri, 23 Sep 2005 09:47:56 +0200
On Friday 23 of September 2005 01:29, micah wrote:
> > They are all fixed in 2.6.4 release. Try to grep on XSS for ChangeLog
> > available at
> > http://cvs.sourceforge.net/viewcvs.py/phpmyadmin/phpMyAdmin/ChangeLog?rev
> >=2.1272&view=auto
> >
> > I didn't describe them in changelog for unstable release, beacuse the
> > upstream did not describe, too.
> >
> > The sarge backported package is described verbosely, beacuse the fixes
> > are provided carefully in separated patches.
>
> It would be nice to note these in unstable (especially CAN numbers) in
> the future, as those of us doing testing-security track these sorts of
> things and will continue to ping you asking you about this sort of thing
> because it is not obvious in the changelog.

The XSS problem resolved in 2.6.4 release don't have CAN numbers. The only one 
problem that can be found in mitre database is listed already in unstable 
package.

-- 
 .''`.    Piotr Roszatycki, Netia SA
: :' :    mailto:Piotr_Roszatycki@netia.net.pl
`. `'     mailto:dexter@debian.org
  `-



Bug marked as fixed in version 4:2.6.4-pl1-1, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.2-3sarge1, send any further explanations to Moritz Muehlenhoff <jmm@inutil.org> Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 08:17:39 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 17 22:28:16 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.