Debian Bug report logs - #335513
CVE-2005-3301: Cross-Site Scripting vulnerability.

version graph

Package: phpmyadmin; Maintainer for phpmyadmin is Thijs Kinkhorst <thijs@debian.org>; Source for phpmyadmin is src:phpmyadmin.

Reported by: 4:2.6.2-3

Date: Mon, 24 Oct 2005 15:18:19 UTC

Severity: important

Tags: fixed, sarge, security

Found in versions phpmyadmin/4:2.6.4-pl2-1, phpmyadmin/4:2.6.2-3

Fixed in versions phpmyadmin/4:2.6.4-pl3-1, 4:2.6.2-3sarge1

Done: Thijs Kinkhorst <thijs@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Piotr Roszatycki <dexter@debian.org>:
Bug#335513; Package phpmyadmin. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
New Bug report received and forwarded. Copy sent to Piotr Roszatycki <dexter@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: submit@bugs.debian.org
Subject: CVE-2005-3301: XSS in left.php, queryframe.php, server_databases.php
Date: Mon, 24 Oct 2005 14:15:33 +0200
Package: phpmyadmin
Version: 4:2.6.4-pl2-1
Severity: important
Tags: security

See upstreams announcement PMASA-2005-5:
<http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5>

This set of issues is being tracked as CVE-2005-3301.  Please mention
this name in the changelog when uploading a fixed package.



Reply sent to Piotr Roszatycki <dexter@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Florian Weimer <fw@deneb.enyo.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 335513-close@bugs.debian.org (full text, mbox):

From: Piotr Roszatycki <dexter@debian.org>
To: 335513-close@bugs.debian.org
Subject: Bug#335513: fixed in phpmyadmin 4:2.6.4-pl3-1
Date: Mon, 24 Oct 2005 13:32:59 -0700
Source: phpmyadmin
Source-Version: 4:2.6.4-pl3-1

We believe that the bug you reported is fixed in the latest version of
phpmyadmin, which is due to be installed in the Debian FTP archive:

phpmyadmin_2.6.4-pl3-1.diff.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.diff.gz
phpmyadmin_2.6.4-pl3-1.dsc
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1.dsc
phpmyadmin_2.6.4-pl3-1_all.deb
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3-1_all.deb
phpmyadmin_2.6.4-pl3.orig.tar.gz
  to pool/main/p/phpmyadmin/phpmyadmin_2.6.4-pl3.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 335513@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Piotr Roszatycki <dexter@debian.org> (supplier of updated phpmyadmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Mon, 24 Oct 2005 20:14:08 +0200
Source: phpmyadmin
Binary: phpmyadmin
Architecture: source all
Version: 4:2.6.4-pl3-1
Distribution: unstable
Urgency: high
Maintainer: Piotr Roszatycki <dexter@debian.org>
Changed-By: Piotr Roszatycki <dexter@debian.org>
Description: 
 phpmyadmin - set of PHP-scripts to administrate MySQL over the WWW
Closes: 335306 335513
Changes: 
 phpmyadmin (4:2.6.4-pl3-1) unstable; urgency=high
 .
   * New upstream release.
   * Security fix: (1) Local file inclusion vulnerability and (2) Cross-Site
     Scripting vulnerability.
     See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3300
     See http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3301
     Closes: #335306, #335513.
   * Assigned CVE number for 4:2.6.4-pl2-1 bug fix.
Files: 
 b76157341450a63bbcbbbfa833f0e970 646 web extra phpmyadmin_2.6.4-pl3-1.dsc
 69cc488cb259a5b6f2bd83c95d1b94d2 2777834 web extra phpmyadmin_2.6.4-pl3.orig.tar.gz
 9fcb9225e9ee4a0fe67960deef9366dd 30725 web extra phpmyadmin_2.6.4-pl3-1.diff.gz
 3a0d95dba07006c4f6d89b0365bd6367 2923084 web extra phpmyadmin_2.6.4-pl3-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDXSrfhMHHe8CxClsRAudZAJ472YLaoGzJ9sT5pd787J4wutUfWQCg0SbX
jjJYiOWdfPwgoRzFV9hDOo0=
=m/Yg
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as found in version 4:2.6.2-3. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to Florian Weimer <fw@deneb.enyo.de> Request was from Filipus Klutiero <ido@vif.com> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reopened, originator set to 4:2.6.2-3. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.4-pl3-1, send any further explanations to 4:2.6.2-3 Request was from Piotr Roszatycki <Piotr_Roszatycki@netia.net.pl> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: fixed Request was from Noah Meyerhans <noahm@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug marked as fixed in version 4:2.6.2-3sarge1, send any further explanations to 4:2.6.2-3 Request was from Thijs Kinkhorst <thijs@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 24 Jun 2007 15:40:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 06:36:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.