The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4.
Among other bug fixes, this contains several important security fixes.
Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion
(https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to
perform harmful operations
(https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree
(https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug
fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly
when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login
messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with
this release.
Note that for this release, we experimented with a pre-release
announcement so that hosting providers and package managers would have
an opportunity to prepare for the security release. If this was helpful
to you or if you have feedback about this technique, please let us know
through the public list developers(a)phpmyadmin.net or privately at
security(a)phpmyadmin.net. We may or may not decide use this behavior in
the future and your feedback will help us decide whether it's beneficial
to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
The phpMyAdmin project is announcing an upcoming security release. We
feel this vulnerability is significant enough to make this announcement
in advance. Our intention is to release the download for version 4.8.4
on Tuesday (December 11) at approximately 1400-1500 UTC.
Details about the vulnerabilities will be provided at the time of
release. Users, package managers, and others with questions or concerns
can reach the security team in private at security(a)phpmyadmin.net or by
replying to me directly.
Isaac, for the phpMyAdmin team
