The branch, master has been updated via 5b7fa0538813d55eb5ff980a6461e1ef23f0c52d (commit) via 016be749df737089e59e3c8152d491d50e34c559 (commit) via 0d8171b33aefc983404036b39dbea74919325ddd (commit) from 0f8b2603b5a9b1d6765804deee11d056e549404b (commit) - Log ----------------------------------------------------------------- commit 5b7fa0538813d55eb5ff980a6461e1ef23f0c52d Author: Marc Delisle <marc@infomarc.info> Date: Wed Dec 21 15:38:00 2011 -0500 Announcement date commit 016be749df737089e59e3c8152d491d50e34c559 Author: Marc Delisle <marc@infomarc.info> Date: Mon Dec 19 12:42:44 2011 -0500 PMASA-2011-19 commit 0d8171b33aefc983404036b39dbea74919325ddd Author: Dieter Adriaenssens <ruleant@users.sourceforge.net> Date: Mon Dec 19 16:59:42 2011 +0100 PMASA-2011-20 ----------------------------------------------------------------------- Summary of changes: .../security/{PMASA-2011-16 => PMASA-2011-19} | 13 ++--- templates/security/PMASA-2011-20 | 50 ++++++++++++++++++++ 2 files changed, 56 insertions(+), 7 deletions(-) copy templates/security/{PMASA-2011-16 => PMASA-2011-19} (76%) create mode 100644 templates/security/PMASA-2011-20 diff --git a/templates/security/PMASA-2011-16 b/templates/security/PMASA-2011-19 similarity index 76% copy from templates/security/PMASA-2011-16 copy to templates/security/PMASA-2011-19 index ae8b644..c474d90 100644 --- a/templates/security/PMASA-2011-16 +++ b/templates/security/PMASA-2011-19 @@ -1,11 +1,11 @@ <html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip=""> <py:def function="announcement_id"> -PMASA-2011-16 +PMASA-2011-19 </py:def> <py:def function="announcement_date"> -2011-10-17 +2011-12-21 </py:def> <py:def function="announcement_summary"> @@ -33,20 +33,19 @@ Versions 3.4.x are affected. </py:def> <py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.4.6 or newer or apply the related patch listed below. +Upgrade to phpMyAdmin 3.4.9 or newer or apply the related patch listed below. </py:def> <py:def function="announcement_references"> -Thanks to Jakub Gałczyk (<a href="http://hauntit.blogspot.com">http://hauntit.blogspot.com</a>) for reporting this issue. +Thanks to Jason Leyrer of Trustwave SpiderLabs for finding this issue and to Robert Foggia (same company) for contacting us. </py:def> -<py:def function="announcement_cve">CVE-2011-4064</py:def> +<py:def function="announcement_cve">CVE-2011-4782</py:def> <py:def function="announcement_cwe">661 79</py:def> <py:def function="announcement_commits"> -ca597dc423f3eebcca95ff33b088a03e39109115 -1af420e22367ae72ff4091adb1620e59ddad5ba6 +0e707906e69ce90c4852a0fce2a0fac7db86a3cd </py:def> <xi:include href="_page.tpl" /> diff --git a/templates/security/PMASA-2011-20 b/templates/security/PMASA-2011-20 new file mode 100644 index 0000000..2f51623 --- /dev/null +++ b/templates/security/PMASA-2011-20 @@ -0,0 +1,50 @@ +<html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip=""> + +<py:def function="announcement_id"> +PMASA-2011-20 +</py:def> + +<py:def function="announcement_date"> +2011-12-21 +</py:def> + +<py:def function="announcement_summary"> +XSS in export. +</py:def> + +<py:def function="announcement_description"> +Using crafted url parameters, it was possible to produce XSS on the export panels in the server, database and table sections. +</py:def> + +<py:def function="announcement_mitigation"> +These attacks are unlikely to succeed on a victim. Moreover, all these attacks require that the user be already logged in and that a valid token be part of the request. +</py:def> + +<py:def function="announcement_severity"> +We consider these vulnerabilities to be non critical. +</py:def> + +<py:def function="announcement_affected"> +Versions 3.4.x are affected. +</py:def> + +<py:def function="announcement_solution"> +Upgrade to phpMyAdmin 3.4.9 or newer or apply the related patches listed below. +</py:def> + +<py:def function="announcement_references"> +Thanks to <a href="https://twitter.com/totally_unknown">Nils Juenemann</a> for reporting a vulnerable url parameter. +</py:def> + +<py:def function="announcement_cve">CVE-2011-4780</py:def> + +<py:def function="announcement_cwe">661 79</py:def> + +<py:def function="announcement_commits"> +bd3735ba584e7a49aee78813845245354b061f61 +</py:def> + +<xi:include href="_page.tpl" /> +</html> + + hooks/post-receive -- phpMyAdmin website