17 Oct
2011
17 Oct
'11
12:31 p.m.
The branch, master has been updated
via 3e5318d5ead79e3b8b2b2766eb35d3c12d234516 (commit)
via f3ba4f29b6866e18c70745e29191449ffb8c8caa (commit)
via 039745a4eefff8e6b0a9b5e7f2267c1015be1357 (commit)
via 5841f49c6156965f5906109f2bc7d34c475e531a (commit)
via 0bebbc9d522de74125847550db6df16f906b2216 (commit)
via 70018cc6d9658a99f405e4eaddfa706291faa00f (commit)
via e6e233111a4b3e378dd5473606519e4fb3c67ed9 (commit)
via 447d7d3f80f9c02bde2d961d06c2ea49d876009f (commit)
via 77635f8324f780f5ae50942d018c3e2677d3841f (commit)
via 58df2271126e48b0d142f4dfd2cc7a72fbe3723d (commit)
from 7f414583ea794a214668c4b4cec8ce374721913d (commit)
- Log -----------------------------------------------------------------
commit 3e5318d5ead79e3b8b2b2766eb35d3c12d234516
Author: Marc Delisle <marc(a)infomarc.info>
Date: Mon Oct 17 05:29:15 2011 -0400
Cosmetic fix
commit f3ba4f29b6866e18c70745e29191449ffb8c8caa
Author: Marc Delisle <marc(a)infomarc.info>
Date: Mon Oct 17 05:24:31 2011 -0400
Release date
commit 039745a4eefff8e6b0a9b5e7f2267c1015be1357
Merge: 5841f49 7f41458
Author: Marc Delisle <marc(a)infomarc.info>
Date: Sun Oct 16 17:54:25 2011 -0400
Merge remote branch 'origin/master' into website-security
commit 5841f49c6156965f5906109f2bc7d34c475e531a
Merge: 0bebbc9 83880d0
Author: Marc Delisle <marc(a)infomarc.info>
Date: Sun Oct 16 17:47:46 2011 -0400
Merge remote branch 'origin/master' into website-security
commit 0bebbc9d522de74125847550db6df16f906b2216
Author: Marc Delisle <marc(a)infomarc.info>
Date: Sun Oct 16 17:45:18 2011 -0400
Fix syntax error
commit 70018cc6d9658a99f405e4eaddfa706291faa00f
Author: Marc Delisle <marc(a)infomarc.info>
Date: Sun Oct 16 16:50:02 2011 -0400
Web ref from the reporter
commit e6e233111a4b3e378dd5473606519e4fb3c67ed9
Author: Dieter Adriaenssens <ruleant(a)users.sourceforge.net>
Date: Sun Oct 16 16:10:39 2011 +0200
added CVE ID to PMASA-2011-16
commit 447d7d3f80f9c02bde2d961d06c2ea49d876009f
Author: Marc Delisle <marc(a)infomarc.info>
Date: Fri Oct 14 07:31:11 2011 -0400
PMASA-2011-16
commit 77635f8324f780f5ae50942d018c3e2677d3841f
Author: Dieter Adriaenssens <ruleant(a)users.sourceforge.net>
Date: Mon Oct 3 21:02:53 2011 +0200
update PMASA-2011-15 with commit hashes + better wording
commit 58df2271126e48b0d142f4dfd2cc7a72fbe3723d
Author: Dieter Adriaenssens <ruleant(a)users.sourceforge.net>
Date: Fri Sep 23 21:49:52 2011 +0200
PMASA-2011-15 proposal
-----------------------------------------------------------------------
Summary of changes:
templates/security/{PMASA-2011-1 => PMASA-2011-15} | 34 +++++-------
templates/security/PMASA-2011-16 | 53 ++++++++++++++++++++
2 files changed, 67 insertions(+), 20 deletions(-)
copy templates/security/{PMASA-2011-1 => PMASA-2011-15} (50%)
create mode 100644 templates/security/PMASA-2011-16
diff --git a/templates/security/PMASA-2011-1 b/templates/security/PMASA-2011-15
similarity index 50%
copy from templates/security/PMASA-2011-1
copy to templates/security/PMASA-2011-15
index 0350dd5..da80227 100644
--- a/templates/security/PMASA-2011-1
+++ b/templates/security/PMASA-2011-15
@@ -1,21 +1,21 @@
<html xmlns:py="http://genshi.edgewall.org/"
xmlns:xi="http://www.w3.org/2001/XInclude" py:strip="">
<py:def function="announcement_id">
-PMASA-2011-1
+PMASA-2011-15
</py:def>
<py:def function="announcement_date">
-2011-02-08
+2011-10-17
</py:def>
<py:def function="announcement_summary">
-Path disclosure when some files have been removed.
+Path disclosure due to insufficient url parameter validation.
</py:def>
<py:def function="announcement_description">
-When the files README, ChangeLog or LICENSE have been removed from their
-original place (possibly by the distributor), the scripts used to display
-these files can show their full path, leading to possible further attacks.
+When the js_frame parameter of phpmyadmin.css.php is defined as an array,
+an error message shows the full path of this file,
+leading to possible further attacks.
</py:def>
<py:def function="announcement_mitigation">
@@ -29,33 +29,27 @@ We consider this vulnerability to be non critical.
</py:def>
<py:def function="announcement_affected">
-The 2.11.x and 3.3.x versions are affected.
+Versions 3.4.x are affected.
</py:def>
<py:def function="announcement_solution">
-Upgrade to phpMyAdmin 3.3.9.1 or newer (2.11.11.2 or newer for the older
-family) or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below.
</py:def>
<py:def function="announcement_references">
-Thanks to MustLive from <a
href="http://websecurity.com.ua">Websecurity</a>
- for reporting this issue.
+Thanks to <a href="http://securitate.md/">Mihail Ursu</a> for
reporting this issue.
</py:def>
-<py:def function="announcement_cve">CVE-2011-0986</py:def>
+<py:def function="announcement_cve">CVE-2011-3646</py:def>
-<py:def function="announcement_cwe">661 200</py:def>
+<py:def function="announcement_cwe">20 200</py:def>
<py:def function="announcement_commits">
-035d002db1e1201e73e560d7d98591563b506a83
+d35cba980893aa6e6455fd6e6f14f3e3f1204c52
</py:def>
-<py:def function="announcement_commits_3_3">
-4c8c7080a76b837ae55cdc5e010c793b389a671a
-</py:def>
-
-<py:def function="announcement_commits_2_11">
-f0e8849034132e2114f1d77d9d37185bc5b49886
+<py:def function="announcement_commits_3_4">
+e05b37d3c9e5b99e8a779fe55780d92df17b4a55
</py:def>
<xi:include href="_page.tpl" />
diff --git a/templates/security/PMASA-2011-16 b/templates/security/PMASA-2011-16
new file mode 100644
index 0000000..d82b828
--- /dev/null
+++ b/templates/security/PMASA-2011-16
@@ -0,0 +1,53 @@
+<html xmlns:py="http://genshi.edgewall.org/"
xmlns:xi="http://www.w3.org/2001/XInclude" py:strip="">
+
+<py:def function="announcement_id">
+PMASA-2011-16
+</py:def>
+
+<py:def function="announcement_date">
+2011-10-17
+</py:def>
+
+<py:def function="announcement_summary">
+XSS in setup.
+</py:def>
+
+<py:def function="announcement_description">
+Crafted values entered in the setup interface can produce XSS; also, if the
+config directory exists and is writeable, the XSS payload can be saved
+to this directory.
+</py:def>
+
+<py:def function="announcement_mitigation">
+The documentation warns against leaving this directory writeable; also
+a warning appears on the home page. Also, this XSS would target only the
+users who visit /setup.
+</py:def>
+
+<py:def function="announcement_severity">
+We consider this vulnerability to be non critical.
+</py:def>
+
+<py:def function="announcement_affected">
+Versions 3.4.x are affected.
+</py:def>
+
+<py:def function="announcement_solution">
+Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below.
+</py:def>
+
+<py:def function="announcement_references">
+Thanks to Jakub GaĆczyk (<a
href="http://hauntit.blogspot.com">http://hauntit.blogspot.com</a>) for
reporting this issue.
+</py:def>
+
+<py:def function="announcement_cve">CVE-2011-4064</py:def>
+
+<py:def function="announcement_cwe">661 79</py:def>
+
+<py:def function="announcement_commits_3_4">
+ca597dc423f3eebcca95ff33b088a03e39109115
+1af420e22367ae72ff4091adb1620e59ddad5ba6
+</py:def>
+
+<xi:include href="_page.tpl" />
+</html>
hooks/post-receive
--
phpMyAdmin website