News January 2019

news@phpmyadmin.net

1 participants
2 discussions

Security announcement: phpMyAdmin 4.8.5 is released
by Isaac Bennetch 26 Jan '19

26 Jan '19

The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users. The security fixes involve: * Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1) * SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2) The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496). In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle: * Export to SQL format not available * QR code not shown when adding two-factor authentication to a user account * Issue with adding a new user in MySQL 8.0.11 and newer * Frozen interface relating to Text_Plain_Sql plugin * Table level Operations tab was missing And several more. Complete notes are in the ChangeLog file included with this release. As always, downloads are available at https://www.phpmyadmin.net/downloads/

1 0

Upcoming phpMyAdmin security release
by Isaac Bennetch 25 Jan '19

25 Jan '19

The phpMyAdmin project is announcing an upcoming security release. Two security flaws will be included in the 4.8.5 release and we recommend that all users update their installations. One attack requires setting a configuration directive, which is off by default. The other requires an attacker to have access to the MySQL server. We will post more details at the time of the release. Due to the scheduled release cycle where 4.8.5 was due for release this week, this security release will occur later today. We regret that we haven't provided more advanced notice in this case. This email is part of an experimental policy where we publish advance notifications of upcoming security releases. Thank you, Isaac for the phpMyAdmin team

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

News January 2019