The branch, master has been updated
via bf754acd5c4bd16f0bb3a4a11e108c2c172583b0 (commit)
via d36188f3ea49e446dc015e7b8266929434cc218a (commit)
from 385f0b3a7532f8b384d5990cc0642a20910b61ce (commit)
- Log -----------------------------------------------------------------
commit bf754acd5c4bd16f0bb3a4a11e108c2c172583b0
Merge: 385f0b3 d36188f
Author: Marc Delisle <marc(a)infomarc.info>
Date: Wed Sep 14 08:04:04 2011 -0400
Merge branch 'website-security'
commit d36188f3ea49e446dc015e7b8266929434cc218a
Author: Marc Delisle <marc(a)infomarc.info>
Date: Mon Sep 12 13:01:06 2011 -0400
PMASA-2011-14 proposal
-----------------------------------------------------------------------
Summary of changes:
.../security/{PMASA-2011-11 => PMASA-2011-14} | 20 ++++++++++----------
1 files changed, 10 insertions(+), 10 deletions(-)
copy templates/security/{PMASA-2011-11 => PMASA-2011-14} (57%)
diff --git a/templates/security/PMASA-2011-11 b/templates/security/PMASA-2011-14
similarity index 57%
copy from templates/security/PMASA-2011-11
copy to templates/security/PMASA-2011-14
index f6f98fd..570a21d 100644
--- a/templates/security/PMASA-2011-11
+++ b/templates/security/PMASA-2011-14
@@ -3,23 +3,23 @@
<py:def function="announcement_id">
-PMASA-2011-11
+PMASA-2011-14
</py:def>
<py:def function="announcement_date">
-2011-07-23
+2011-09-14
</py:def>
<py:def function="announcement_summary">
-Local file inclusion vulnerability and code execution.
+Multiple XSS.
</py:def>
<py:def function="announcement_description">
-In the 'relational schema' code a parameter was not sanitized before being used
to concatenate a class name.
+Firstly, if a row contains javascript code, after inline editing this row and saving, the
code is executed. Secondly, missing sanitization on the db, table and column names leads
to XSS vulnerabilities.
</py:def>
<py:def function="announcement_severity">
-We consider this vulnerability to be critical.
+We consider these vulnerabilities to be serious.
</py:def>
<py:def function="announcement_mitigation">
@@ -27,25 +27,25 @@ An attacker must be logged in via phpMyAdmin to exploit this problem.
</py:def>
<py:def function="announcement_affected">
-Versions 3.4.0 to 3.4.3.1 are affected.
+Versions 3.4.0 to 3.4.4 were found vulnerable.
</py:def>
<py:def function="announcement_solution">
-Upgrade to phpMyAdmin 3.4.3.2 or apply the related patch listed below.
+Upgrade to phpMyAdmin 3.4.5 or apply the related patches listed below.
</py:def>
<!--! Links to reporter etc, do not forget to escape & to & -->
<py:def function="announcement_references">
-This issue was found by Norman Hippert from <a
href="http://www.the-wildcat.de/">The-Wildcat.de</a>
+The first issue was found by Brad Bernard (<a
href="http://iunfollow.com">iunfollow.com</a>). The second issue was
found by Nils Juenemann (<a
href="https://twitter.com/#!/totally_unknown">https://twitter.…y_unknown</a>.)
</py:def>
<!--! CVE ID of the report, this is automatically added to references -->
-<py:def function="announcement_cve">CVE-2011-2718</py:def>
<py:def function="announcement_cwe">661 98</py:def>
<py:def function="announcement_commits">
-3ae58f0cd6b89ad4767920f9b214c38d3f6d4393
+bda213c58aec44925be661acb0e76c19483ea170
+2f28ce9c800274190418da0945ce3647d36e1db6
</py:def>
<xi:include href="_page.tpl" />
hooks/post-receive
--
phpMyAdmin website