The branch, master has been updated via 7c290f83461799b801e255f82bffee0298d84bd4 (commit) via 2e71cc6795e8da72c6e98f333f483c9a5b3273f7 (commit) from ce0ca9b4ffa03b4211ebbbc50036b441b1aa62d4 (commit) - Log ----------------------------------------------------------------- commit 7c290f83461799b801e255f82bffee0298d84bd4 Author: Michal Čihař &lt;mcihar(a)novell.com&gt; Date: Wed Sep 8 10:19:48 2010 +0200 Add security announcement. commit 2e71cc6795e8da72c6e98f333f483c9a5b3273f7 Author: Michal Čihař &lt;mcihar(a)novell.com&gt; Date: Wed Sep 8 10:19:37 2010 +0200 Ignore cache. ----------------------------------------------------------------------- Summary of changes: .gitignore | 1 + templates/security/{PMASA-2010-6 => PMASA-2010-7} | 23 +++++++------------- 2 files changed, 9 insertions(+), 15 deletions(-) copy templates/security/{PMASA-2010-6 => PMASA-2010-7} (55%) diff --git a/.gitignore b/.gitignore index 5c5490b..3009793 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,4 @@ *.pyc *.swp output +cache diff --git a/templates/security/PMASA-2010-6 b/templates/security/PMASA-2010-7 similarity index 55% copy from templates/security/PMASA-2010-6 copy to templates/security/PMASA-2010-7 index 6db9c7e..cd27dc8 100644 --- a/templates/security/PMASA-2010-6 +++ b/templates/security/PMASA-2010-7 @@ -1,25 +1,19 @@ <html xmlns:py="http://genshi.edgewall.org/" xmlns:xi="http://www.w3.org/2001/XInclude" py:strip=""> <py:def function="announcement_id"> -PMASA-2010-6 +PMASA-2010-7 </py:def> <py:def function="announcement_date"> -2010-08-30 +2010-09-08 </py:def> <py:def function="announcement_summary"> -XSS attack using debugging messages. +XSS attack on setup script. </py:def> <py:def function="announcement_description"> -It was possible to conduct a XSS attack using error messages in PHP backtrace. -</py:def> - -<py:def function="announcement_mitigation"> -Additional steps from administrator are required to actually exploit this -issue (phpMyAdmin error reporting and collection needs to be enabled, what -is against recommendation for production setup). +It was possible to conduct a XSS attack using spoofed request to setup script. </py:def> <py:def function="announcement_severity"> @@ -27,7 +21,7 @@ We consider this vulnerability to be non critical. </py:def> <py:def function="announcement_affected"> -For 3.x: versions before 3.3.6 are affected. +For 3.x: versions before 3.3.7 are affected. </py:def> <py:def function="announcement_unaffected"> @@ -35,18 +29,17 @@ Branch 2.11.x is not affected by this. </py:def> <py:def function="announcement_solution"> -Upgrade to phpMyAdmin 3.3.6 or newer or apply patch listed below. +Upgrade to phpMyAdmin 3.3.7 or newer or apply patch listed below. </py:def> <py:def function="announcement_references"> -Thanks to Aung Khant from <a href="http://yehg.net">YGN Ethical Hacker Group, -Myanmar</a> for reporting this issue. +Thanks to <a href="http://tenable.com/">Tenable Network Security</a> for reporting this issue. </py:def> <py:def function="announcement_cve">CVE-2010-2958</py:def> <py:def function="announcement_commits"> -133a77fac7d31a38703db2099a90c1b49de62e37 +73ce5705bd1e0b62060f75702d62f88247ce09dd </py:def> <xi:include href="_page.tpl" /> hooks/post-receive -- phpMyAdmin website