Hello,
The phpMyAdmin team announces the release of both 4.9.5 and 5.0.2.
Both versions contain several security fixes:
* PMASA-2020-2 SQL injection vulnerability in the user accounts page,
particularly when changing a password
* PMASA-2020-3 SQL injection vulnerability relating to the search feature
* PMASA-2020-4 SQL injection and XSS having to do with displaying results
* Removing of the "options" field for the external transformation.
We are removing the ability for users to set "options" field for the
external transformation. This must now be hard coded in the plugin file
directly (where the program is configured). This feature allows users to
pipe output directly to an executable file, however the options field
presented a security risk and we have decided to move the options to be
hard coded in the transformation plugin file. For further assistance,
please reach out to our support team through email or Github pull request.
Version 5.0.3 also contains many bug fixes:
* Fix for copying a user account
* Removed SET AUTOCOMMIT=0 from SQL export
* Fix for the display of table borders
* Fix for ENUM radio button user interface problems
* Improved the prompt for abandoning changes when no changes were made
in the SQL window
* Fix for inserting a primary key with "insert as new row"
* Fix incorrect suggested latest available version to version 5
There are many other bugs fixes, please see the ChangeLog file included
with this release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to
7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests
show the problem actually began with MySQL 8.0.11). This relates to a
PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround,
that is to set your user account to use the current-style password hash
method, mysql_native_password. This unfortunate lack of coordination has
caused the incompatibility to affect all PHP applications, not just
phpMyAdmin. For more details, you can see our bug tracker item at
https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest
upgrading your PHP installation to take advantage of the authentication
methods.
As a reminder, phpMyAdmin 4.9 is in the long-term support phase where it
will only get important security fixes and critical bug fixes. Users are
suggested to migrate to version 5.0.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
Hello,
The phpMyAdmin team is announcing that we are preparing a security fix
which we plan to release Friday, tomorrow, approximately 30 hours from now.
The attack vector requires that the attacker be authenticated through a
valid MySQL/MariaDB account. Both the 4.9 and 5.0 branches will be updated.
This announcement is part of our ongoing effort to announce security
releases in advance, when available, and should not be interpreted as
any commentary on the details of any specific vulnerability.
If you have questions or concerns, you can reach me directly or contact
the security team at security(a)phpmyadmin.net.
Isaac for the phpMyAdmin team
