20 Nov
2005
20 Nov
'05
2:15 p.m.
Hi all
another point on security: some of issues that has been fixed in
"normal" release do not have security announcement, this should be also
fixed.
--
Michal Čihař | http://cihar.com
2:56 p.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was
some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs]
Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9
Branch: MAIN
Branch point for: QA_2_6_4
Changes since 2.25: +2 -2 lines
Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
--
Michal Čihař | http://cihar.com
22 Nov
22 Nov
2:54 p.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Michal Čihař a écrit :
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
Thanks, I'll write one.
Marc
could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was
some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs]
Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9
Branch: MAIN
Branch point for: QA_2_6_4
Changes since 2.25: +2 -2 lines
Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
23 Nov
23 Nov
12:43 a.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Hi
On Wed 23. 11. 2005 01:53, Marc Delisle wrote:
Thanks, I'll write one.
You mean for current one or for the old one? :-)
--
Michal Čihař | http://cihar.com
11:53 a.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Marc Delisle a écrit :
Michal Čihař a écrit :
I counted 2 others, so I issued an alert for those 3 problems.
Regarding the new one you just fixed, was it present in 2.6.4?
Marc
Hi
On Mon 21. 11. 2005 01:35, Marc Delisle wrote:
Thanks, I'll write one.
Marc could you tell me which issues?
I don't know exactly, I can ask for details tomorrow. However it was
some XSS fixed by you (and commented so in CVS).
He was talking probably about this one:
Revision 2.26 - (view) (download) (annotate) - [select for diffs]
Thu Jul 21 11:53:33 2005 UTC (4 months ago) by lem9
Branch: MAIN
Branch point for: QA_2_6_4
Changes since 2.25: +2 -2 lines
Diff to previous 2.25
bug #1240880, XSS on the cookie-based login panel
It went to 2.6.4, but does not have security announcement.
12:18 p.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
I counted 2 others, so I issued an alert for those 3
problems.
We should also handle in same announcement the new one I sent recently.
It looks to me like it is still not fixed...
Regarding the new one you just fixed, was it present
in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented to be
from 2001/25/11...
--
Michal Čihař | http://cihar.com
9:20 p.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Michal Čihař a écrit :
Instead of a backport to QA_2_6_4, I suggest to wait for 2.7.0's release for an
announcement.
Marc
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
The one from debian? I think you fixed it with
* libraries/.htaccess: Deny access to libraries folder over HTTP.
But I would put it in a new announcement, along with the one concerning
HTTP_HOST, since they are both fixed in 2.7.0.
I counted 2 others, so I issued an alert for those
3 problems.
We should also handle in same announcement the new one I sent recently.
It looks to me like it is still not fixed... Regarding the new one you just fixed, was it
present in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented to be
from 2001/25/11...
10:11 p.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
Hi
On Thu 24. 11. 2005 08:19, Marc Delisle wrote:
Michal Čihař a écrit :
This doesn't allow us to ignore holes in libraries and will be in 2.7.1,
so 2.7.0 is still affected. I'll include that patch.
On Wed 23. 11. 2005 22:51, Marc Delisle wrote:
The one from debian? I think you fixed it with
* libraries/.htaccess: Deny access to libraries folder over HTTP. I counted 2 others, so I issued an alert for those
3 problems.
We should also handle in same announcement the new one I sent
recently. It looks to me like it is still not fixed... But I would put it in a new announcement, along with
the one
concerning HTTP_HOST, since they are both fixed in 2.7.0.
Instead of a backport to QA_2_6_4, I suggest to wait for 2.7.0's
release for an announcement.
Okay for me.
--
Michal Čihař | http://cihar.com
Regarding
the new one you just fixed, was it present in 2.6.4?
You mean the HTTP_HOST issue? Yes it is, related code is commented
to be from 2001/25/11...
21 Nov
21 Nov
2:45 a.m.
New subject: [Phpmyadmin-devel] Re: Security announcements
On Mon 21. 11. 2005 01:14, Michal Čihař wrote:
another point on security: some of issues that has
been fixed in
"normal" release do not have security announcement, this should be
also fixed.
Eh, I just found one :-). XSS in index.php on HTTP_HOST...
--
Michal Čihař | http://cihar.com
6862
days inactive
6866
days old
10 comments
2 participants
participants (2)
-
Marc Delisle -
Michal Čihař