Hi,
It has occurred to me that our current branches have diverged significantly
from QA_4_9 and that our current system of merging any change from QA_4_9
to QA_5_1 then to master doesn't seem ideal to me any longer. This makes
security merges difficult.
This got messy at the point where we decided to continue supporting 4.9 for
urgent fixes and security fixes, because prior to 4.9, security fixes would
generally be assigned a fourth version number (such as 2.11.2.2 or
4.1.14.8). That fourth version number does not conform very well with
semver and we've adapted to releasing a new "patch" release for security
fixes (4.9.7, for instance). Under the older system, a branch MAINT_4_1_14
would be created for the security fixes for 4.1.14.x, because a QA_ branch
would get merged ahead to newer branches but the MAINT branch was not meant
to be merged. Similar changes could be git cherry-picked to future branches
instead.
Here's what I'm proposing:
* Make a break from merging QA_4_9, remove the QA_4_9 branch and replace it
with MAINT_4_9 (not MAINT_4_9_8, which would be the old way). We're really
getting towards the end of wanting to support 4.9 anyway, but this will
allow us to maintain 4.9 without complicated merges to the 5.x branches.
It's easy to see how we got in this situation because at first we were
still sort of supporting 4.9 for bug fixes and slowly switched to security
only, but this is a good time to commit to doing this the right way.
As a reminder, since we're releasing 5.2.0-rc1, QA_5_2 is going to be
created from master, and QA_5_2 will be frozen for new features; it will
become bug fix only. Once 5.2.0 is officially released, QA_5_1 will be
removed. I don't believe this will cause any problems with compatibility
with very old PHP versions as there should be significant overlap.
Regards,
Isaac
Welcome to the release of phpMyAdmin version 4.9.9. This is a release to
fix two issues with the 4.9.8 release. We apologize for the inconvenience.
Fixed since phpMyAdmin 4.9.8:
* Fix a syntax error preventing use with PHP 5
* An error was shown regarding the new "hide_configuration_errors"
directive when a controluser is set
Fixed in phpMyAdmin 4.9.8:
* Fix for a user potentially being able to disable their two factor
authentication (PMASA-2022-1)
* Add a new configuration directive $cfg['URLQueryEncryption'] to allow
encrypting sensitive information in the URL to prevent disclosure.
Thanks to Rich Grimes <https://twitter.com/saltycoder> for suggesting
this improvement
* Add a new configuration directive
$cfg['Servers'][$i]['hide_connection_errors'] to allow hiding the full
error message when a log on attempt fails, which can leak hostnames or
IP addresses of the target database server. Thanks to Dr. Shuzhe Yang,
Manager Security Governance at GLS IT Services for suggesting this
improvement
Note that the 5.1.2 has two known issues, the hide_connection_errors and
an issue with the navigation pane. We are preparing fixes for those and
will release version 5.1.3 separately.
This is a reminder that phpMyAdmin 4.9 is in the long-term support phase
where it will only get important security fixes and critical bug fixes.
Users are suggested to migrate to version 5.1.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
The phpMyAdmin project announces several new releases:
* 4.9.8, which fixes some security flaws
* 5.1.2, which fixes some security flaws and contains many bug fixes
including better PHP 8.0 and 8.1 compatibility
* 5.2.0-rc1, a testing version introducing many new features
## Security fixes (affected versions as noted)
A flaw was identified in how phpMyAdmin processes two factor
authentication; a user could potentially manipulate their account to
bypass two factor authentication in subsequent authentication sessions
(PMASA-2022-1) (affects both 4.9 and 5.1).
A series of weaknesses was identified allowing a malicious user to
submit malicious information to present an XSS or HTML injection attack
in the graphical setup page (PMASA-2022-2) (affects 5.1 only; not 4.9).
In some scenarios, potentially sensitive information such as a the
database name can be part of the URL. This can now be optionally
encrypted. There are two new configuration directives relating to this
improvement: `$cfg['URLQueryEncryption']` and
`$cfg['URLQueryEncryptionSecretKey']`. This encryption can be enabled by
setting URLQueryEncryption to true in your `config.inc.php`. Thanks to
Rich Grimes <https://twitter.com/saltycoder> for suggesting this
improvement (affects both 4.9 and 5.1).
During a failed log on attempt, the error message reveals the target
database server's hostname or IP address. This can reveal some
information about the network infrastructure to an attacker. This
information can now be suppressed through the
`$cfg['Servers'][$i]['hide_connection_errors']` directive. Thanks to Dr.
Shuzhe Yang, Manager Security Governance at GLS IT Services for
suggesting this improvement (affects both 4.9 and 5.1).
## Bug fixes (5.1.2 and 5.2.0-rc1)
* Revert a changed to $cfg['CharTextareaRows'] allow values less than 7
* Fix encoding of enum and set values on edit value
* Fixed possible "Undefined index: clause_is_unique" error
* Fixed some situations where a user is logged out when working with
more than one server
* Fixed a problem with assigning privileges to a user using the
multiselect list when the database name has an underscore
* Enable cookie parameter "SameSite" when the PHP version is 7.3 or newer
* Correctly handle the removal of "innodb_file_format" in MariaDB and MySQL
## New features (5.2.0-rc1)
* Removed support for Microsoft Internet Explorer
* Requires PHP 7.2 or newer
* Requires the openssl PHP extension
* Improved handling of system CA bundle and cacert.pem, falling back to
Mozilla CA if needed
* Replace "master/slave" terms with "primary/replica"
* Add "NOT LIKE %...%" operator to Table search
* Add support for the Mroonga engine
* Add support for account locking
* Several fixes and improvements to the SQL parser library
There are, of course, many more fixes and new features that you can see
in the ChangeLog file included with this release or online at
<https://demo.phpmyadmin.net/master-config/index.php?route=/changelog>
Downloads are available now at <https://phpmyadmin.net/downloads/>
Isaac and the phpMyAdmin team
