The branch, master has been updated via 6c3d84a6a81b50cd85860d3486e0b73871bcddb5 (commit) via aff9d71483d83588ca0a10965150a611e33b02cd (commit) via 1b00ee3750c28e3867f11f1e7f7ed10c3752789c (commit) via bc1e43bd9eef5c45ddb9fbc4d502de5f279d87fb (commit) via 80b307e2ccc22f8b29270bda0cebfb6b4cc0264f (commit) via dfa1b5539ebe2f98fad06779f0f31f6e83f92378 (commit) via 24a939592da18b47f7cf13b8ed0f46be2e69f27c (commit) via 5e886f236c4958246e9cf5911c5a67bf07c1861a (commit) via 532b37f7a0e545553e138c1978d78ee73585253d (commit) via 3196fae8c141a487df7231b5b3ab5505efd8d7e7 (commit) from 85358c18474ebd4ae2d6d941f3b7e398e8229e99 (commit)
- Log ----------------------------------------------------------------- commit 6c3d84a6a81b50cd85860d3486e0b73871bcddb5 Author: Marc Delisle marc@infomarc.info Date: Sat Jul 23 09:25:21 2011 -0400
Reference to advisories
commit aff9d71483d83588ca0a10965150a611e33b02cd Merge: 85358c18474ebd4ae2d6d941f3b7e398e8229e99 1b00ee3750c28e3867f11f1e7f7ed10c3752789c Author: Marc Delisle marc@infomarc.info Date: Sat Jul 23 09:18:11 2011 -0400
PMASA-2011-9 to -12
commit 1b00ee3750c28e3867f11f1e7f7ed10c3752789c Author: Marc Delisle marc@infomarc.info Date: Sat Jul 23 09:13:41 2011 -0400
- Add release date - Remove unknown CVE ids - Fix typos
commit bc1e43bd9eef5c45ddb9fbc4d502de5f279d87fb Author: Herman van Rink rink@initfour.nl Date: Fri Jul 22 21:00:32 2011 +0200
Added 3.3 version number
commit 80b307e2ccc22f8b29270bda0cebfb6b4cc0264f Author: Herman van Rink rink@initfour.nl Date: Fri Jul 22 20:16:32 2011 +0200
Added commit for 3.3
commit dfa1b5539ebe2f98fad06779f0f31f6e83f92378 Author: Marc Delisle marc@infomarc.info Date: Fri Jul 22 08:41:51 2011 -0400
Better wording
commit 24a939592da18b47f7cf13b8ed0f46be2e69f27c Author: Marc Delisle marc@infomarc.info Date: Tue Jul 12 09:09:52 2011 -0400
Typo
commit 5e886f236c4958246e9cf5911c5a67bf07c1861a Author: Herman van Rink rink@initfour.nl Date: Tue Jul 12 13:10:36 2011 +0200
Added commits for 3.3
commit 532b37f7a0e545553e138c1978d78ee73585253d Author: Herman van Rink rink@initfour.nl Date: Tue Jul 12 12:48:11 2011 +0200
Added draft for PMASA-2011-11 and PMASA-2011-12
commit 3196fae8c141a487df7231b5b3ab5505efd8d7e7 Author: Marc Delisle marc@infomarc.info Date: Mon Jul 11 09:42:48 2011 -0400
CVE ids
-----------------------------------------------------------------------
Summary of changes: templates/security/{PMASA-2011-4 => PMASA-2011-10} | 26 +++++++-------- templates/security/{PMASA-2011-4 => PMASA-2011-11} | 27 +++++++-------- templates/security/{PMASA-2011-5 => PMASA-2011-12} | 33 +++++++++--------- templates/security/{PMASA-2011-3 => PMASA-2011-9} | 35 ++++++++------------ 4 files changed, 54 insertions(+), 67 deletions(-) copy templates/security/{PMASA-2011-4 => PMASA-2011-10} (57%) copy templates/security/{PMASA-2011-4 => PMASA-2011-11} (55%) copy templates/security/{PMASA-2011-5 => PMASA-2011-12} (61%) copy templates/security/{PMASA-2011-3 => PMASA-2011-9} (50%)
diff --git a/templates/security/PMASA-2011-4 b/templates/security/PMASA-2011-10 similarity index 57% copy from templates/security/PMASA-2011-4 copy to templates/security/PMASA-2011-10 index d08d096..6be070a 100644 --- a/templates/security/PMASA-2011-4 +++ b/templates/security/PMASA-2011-10 @@ -3,51 +3,49 @@
<py:def function="announcement_id"> -PMASA-2011-4 +PMASA-2011-10 </py:def>
<py:def function="announcement_date"> -2011-05-22 +2011-07-23 </py:def>
<py:def function="announcement_summary"> -URL redirection to untrusted site. +Local file inclusion. </py:def>
<py:def function="announcement_description"> -It was possible to redirect to an arbitrary, untrusted site, leading to -a possible phishing attack. +Via a crafted MIME-type transformation parameter, an attacker can perform a local file inclusion. </py:def>
<py:def function="announcement_severity"> We consider this vulnerability to be serious. </py:def>
-<py:def function="announcement_unaffected"> -Older releases than 3.4.0 are not affected. +<py:def function="announcement_mitigation"> +The phpMyAdmin's configuration storage mechanism must be configured for this attack to work. </py:def>
<py:def function="announcement_affected"> -The 3.4.0 version is affected. +Versions 3.4.0 to 3.4.3.1 are affected. </py:def>
<py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.4.1 or apply the related patch listed below. +Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below. </py:def>
<!--! Links to reporter etc, do not forget to escape & to & --> <py:def function="announcement_references"> -This issue was found by Kian Mohageri. +This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a> </py:def>
<!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-1941</py:def> +<py:def function="announcement_cve">CVE-2011-2643</py:def>
-<py:def function="announcement_cwe">661 601</py:def> +<py:def function="announcement_cwe">661 98</py:def>
<py:def function="announcement_commits"> -b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f -ecfc8ba4f7b4ea612c58ab5726054ed0f28e200d +f63e1bb42a37401b2fdfcd2e66cce92b7ea2025c </py:def>
<xi:include href="_page.tpl" /> diff --git a/templates/security/PMASA-2011-4 b/templates/security/PMASA-2011-11 similarity index 55% copy from templates/security/PMASA-2011-4 copy to templates/security/PMASA-2011-11 index d08d096..8c1b162 100644 --- a/templates/security/PMASA-2011-4 +++ b/templates/security/PMASA-2011-11 @@ -3,51 +3,48 @@
<py:def function="announcement_id"> -PMASA-2011-4 +PMASA-2011-11 </py:def>
<py:def function="announcement_date"> -2011-05-22 +2011-07-23 </py:def>
<py:def function="announcement_summary"> -URL redirection to untrusted site. +Local file inclusion vulnerability and code execution. </py:def>
<py:def function="announcement_description"> -It was possible to redirect to an arbitrary, untrusted site, leading to -a possible phishing attack. +In the 'relational schema' code a parameter was not sanitized before being used to concatenate a class name. </py:def>
<py:def function="announcement_severity"> -We consider this vulnerability to be serious. +We consider this vulnerability to be critical. </py:def>
-<py:def function="announcement_unaffected"> -Older releases than 3.4.0 are not affected. +<py:def function="announcement_mitigation"> +An attacker must be logged in via phpMyAdmin to exploit this problem. </py:def>
<py:def function="announcement_affected"> -The 3.4.0 version is affected. +Versions 3.4.0 to 3.4.3.1 are affected. </py:def>
<py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.4.1 or apply the related patch listed below. +Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below. </py:def>
<!--! Links to reporter etc, do not forget to escape & to & --> <py:def function="announcement_references"> -This issue was found by Kian Mohageri. +This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a> </py:def>
<!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-1941</py:def>
-<py:def function="announcement_cwe">661 601</py:def> +<py:def function="announcement_cwe">661 98</py:def>
<py:def function="announcement_commits"> -b7a8179eb6bf0f1643970ac57a70b5b513a1cd4f -ecfc8ba4f7b4ea612c58ab5726054ed0f28e200d +3ae58f0cd6b89ad4767920f9b214c38d3f6d4393 </py:def>
<xi:include href="_page.tpl" /> diff --git a/templates/security/PMASA-2011-5 b/templates/security/PMASA-2011-12 similarity index 61% copy from templates/security/PMASA-2011-5 copy to templates/security/PMASA-2011-12 index 5cea3f8..6c92548 100644 --- a/templates/security/PMASA-2011-5 +++ b/templates/security/PMASA-2011-12 @@ -3,32 +3,31 @@
<py:def function="announcement_id"> -PMASA-2011-5 +PMASA-2011-12 </py:def>
<py:def function="announcement_date"> -2011-07-02 -</py:def> - -<py:def function="announcement_updated"> -2011-07-03 +2011-07-23 </py:def>
<py:def function="announcement_summary"> -Possible session manipulation in Swekey authentication. -</py:def> +Possible session manipulation in swekey authentication. +<p/y:def>
<py:def function="announcement_description"> It was possible to manipulate the PHP session superglobal using some of the Swekey authentication code. -This could open a path for other attacks. +This is very similar to PMASA-2011-5. </py:def>
<py:def function="announcement_severity"> We consider this vulnerability to be critical. </py:def>
+<py:def function="announcement_mitigation"> +</py:def> + <py:def function="announcement_affected"> -The 3.4.3 and earlier versions are affected. +The 3.4.3.1 and earlier versions are affected. </py:def>
<py:def function="announcement_unaffected"> @@ -36,26 +35,26 @@ Branch 2.11.x is not affected by this. </py:def>
<py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.3.10.2 or 3.4.3.1 or apply the related patch listed below. +Upgrade to phpMyAdmin 3.3.10.3 or 3.4.3.2 or apply the related patch listed below. </py:def>
<!--! Links to reporter etc, do not forget to escape & to & --> <py:def function="announcement_references"> -This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>. -<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Multiple_Remote_Code_Executions.txt">His advisory.</a> +This issue was found by Frans Pehrson from <a href="http://www.xxor.se">Xxor AB</a>.<a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Conditional_Session_Manipulation.txt">His first advisory.</a><a href="http://www.xxor.se/advisories/phpMyAdmin_3.x_Authenticated_Local_File_Inclusion.txt">His second advisory.</a> </py:def>
<!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-2505</py:def>
-<py:def function="announcement_cwe">473 661</py:def> +<py:def function="announcement_cwe">661 473</py:def>
<py:def function="announcement_commits"> -7ebd958b2bf59f96fecd5b3322bdbd0b244a7967 +e7bb42c002885c2aca7aba4d431b8c63ae4de9b7 +571cdc6ff4bf375871b594f4e06f8ad3159d1754 </py:def>
<py:def function="announcement_commits_3_3"> -6e6e129f26295c83d67b74e202628a4b8bc49e54 +f6f6ee3f1171addb166fa18e75a0b56599bf374c +630b8260be45eb9b211f5d7628dbb9e5c1b05bc6 </py:def>
<xi:include href="_page.tpl" /> diff --git a/templates/security/PMASA-2011-3 b/templates/security/PMASA-2011-9 similarity index 50% copy from templates/security/PMASA-2011-3 copy to templates/security/PMASA-2011-9 index 9219e26..00db8c3 100644 --- a/templates/security/PMASA-2011-3 +++ b/templates/security/PMASA-2011-9 @@ -3,61 +3,54 @@
<py:def function="announcement_id"> -PMASA-2011-3 +PMASA-2011-9 </py:def>
<py:def function="announcement_date"> -2011-05-22 +2011-07-23 </py:def>
<py:def function="announcement_summary"> -XSS vulnerability on Tracking page. +XSS in table Print view. </py:def>
<py:def function="announcement_description"> -It was possible to create a crafted table name that leads to XSS. +The attacker must trick the victim into clicking a link that reaches phpMyAdmin's table print view script; one of the link's parameters is a crafted table name (the name containing Javascript code). </py:def>
<py:def function="announcement_severity"> -We consider this vulnerability to be serious. +We consider this vulnerability to be minor. </py:def>
<py:def function="announcement_mitigation"> -This vulnerability works in the context of a shared phpMyAdmin installation. -The attacker needs to convince a victim to go to the Tracking page that -relates to the crafted table. +The crafted table name must exist (the attacker must have access to create a table on the victim's server). </py:def>
<py:def function="announcement_affected"> -The 3.3.x and 3.4.0 versions are affected. -</py:def> - -<py:def function="announcement_unaffected"> -Older releases than 3.3.0 are not affected. +The 3.4.3.1 and earlier versions are affected. </py:def>
<py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.3.10.1 or 3.4.1 or apply the related patch listed below. +Upgrade to phpMyAdmin 3.3.10.3 or 3.4.3.2 or apply the related patch listed below. </py:def>
<!--! Links to reporter etc, do not forget to escape & to & --> <py:def function="announcement_references"> -This issue was found by a person who wishes to be known as "dave b". +This issue was found by Norman Hippert from <a href="http://www.the-wildcat.de/">The-Wildcat.de</a> </py:def>
<!--! CVE ID of the report, this is automatically added to references --> -<py:def function="announcement_cve">CVE-2011-1940</py:def> +<py:def function="announcement_cve">CVE-2011-2642</py:def>
<py:def function="announcement_cwe">661 79</py:def>
<py:def function="announcement_commits"> -7e10c132a3887c8ebfd7a8eee356b28375f1e287 -d3ccf798fdbd4f8a89d4088130637d8dee918492 +a0823be05aa5835f207c0838b9cca67d2d9a050a +4bd27166c314faa37cada91533b86377f4d4d214 </py:def>
-<py:def function="announcement_commits_3_3_10"> -1300510d3686b40adefafb7f1778a6f06d0a553a -452669a1746898a08129d3a555ac4b1ec084b423 +<py:def function="announcement_commits_3_3"> +8ac8328229ae7493d6060b6272578d85879c698d </py:def>
<xi:include href="_page.tpl" />
hooks/post-receive