The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4.
Among other bug fixes, this contains several important security fixes.
Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion
(https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to
perform harmful operations
(https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree
(https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug
fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly
when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login
messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with
this release.
Note that for this release, we experimented with a pre-release
announcement so that hosting providers and package managers would have
an opportunity to prepare for the security release. If this was helpful
to you or if you have feedback about this technique, please let us know
through the public list developers(a)phpmyadmin.net or privately at
security(a)phpmyadmin.net. We may or may not decide use this behavior in
the future and your feedback will help us decide whether it's beneficial
to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
Our monthly meeting is scheduled for tomorrow. I don't see anything on
the agenda, so I propose we postpone it this month. We should discuss
GSoC 2019, but I'm not sure whether tomorrow is the best time.
Isaac
The phpMyAdmin project is announcing an upcoming security release. We
feel this vulnerability is significant enough to make this announcement
in advance. Our intention is to release the download for version 4.8.4
on Tuesday (December 11) at approximately 1400-1500 UTC.
Details about the vulnerabilities will be provided at the time of
release. Users, package managers, and others with questions or concerns
can reach the security team in private at security(a)phpmyadmin.net or by
replying to me directly.
Isaac, for the phpMyAdmin team
Hi,
I'm trying to work on and test the docker container and having some
trouble doing local development off of the repository.
from my phpmyadmin/docker repository:
docker build -t pmadocker .
docker run -name mydocker -d -e PMA_ARBITRARY=1 -p 8080:80 pmadocker
Trying to log in does give the login page, but it doesn't have the
server field. I've also tried with PMA_HOST=192.168.23.1 and it
doesn't work, either. Basically, this doesn't seem to pass environment
variables (PMA_ARBITRARY or PMA_HOST if I instead specify that).
Using the Docker Hub build does work:
docker run --name myadmin -d -p 8081:80 -e PMA_ARBITRARY=1 phpmyadmin/phpmyadmin
Any idea what I'm doing wrong?
Hi developers,
We've talked before about using Slack versus Gitter, and I don't have
a strong feeling about whether one is better than the other. However,
I would like to add one to our list of ways to connect with us.
As a team, we've been long-time users of IRC and there's still good
reason to keep and maintain the #phpmyadmin freenode channel, but we
have to also adapt and recognize that there are new services that also
provide good integration and useful features. Many of our prospective
GSoC students have inquired about Slack/Gitter and have benefited from
using them. I'm ready to revisit this discussion.
At the time[1], we discussed some of the differences between the two platforms.
Gitter is free and basically the only limit is the number of members
in a private room, and I don't anticipate any significant need for a
private room. Gitter does not host files, so any screenshots we'd pass
around would need to be uploaded to some other service. Gitter is very
open and easy to sign in to those with a Github (or Gitlab or Twitter)
login, but the downside is that a user must use one of those services
for authentication.
Slack is sort-of-free and size-limited. They say the free tier is for
a team to try Slack, but we'd be committing to using it and I don't
feel it would be honest to use the free tier claiming to be running a
long term demo. I think we could pay for the Standard tier for core
team members and allow everyone else access as a guest, which is
nearly $7 per user per month. I don't particularly feel like $50/month
is a good use of project funds in this case. Slack's free tier is also
limited to 10,000 messages and according to my research, after passing
that limit it becomes uncomfortable to use due to the warnings and a
random order of old messages being hidden. Slack makes it harder to
sign in, as we'd have to invite users (which can be automated through
clicking a link on our site), but does use simple email/password
authentication rather than requiring a third-party account. Slack also
benefits from greater brand awareness and a flashier interface.
By the way, the Slack channel 'phpmyadmin' is currently taken. The
Slack folks were no help with my inquiry about claiming it but I've
written to the people who seem to control it to see if they would hand
it over to us. I haven't heard back yet.
Does anyone strongly favor either Slack or Gitter over the other, and why?
1 - https://lists.phpmyadmin.net/pipermail/developers/2017-March/019926.html
Hello everyone,
It's been 3 months since GSoC has ended, and my GSoC project is still
pending to be merged. I would really like to see my project merged so that
I could further continue to improve the project.
Regards
Saksham Gupta
