News January 2022

news@phpmyadmin.net

1 participants
2 discussions

phpMyAdmin 4.9.9 is released
by Isaac Bennetch 23 Jan '22

23 Jan '22

Welcome to the release of phpMyAdmin version 4.9.9. This is a release to fix two issues with the 4.9.8 release. We apologize for the inconvenience. Fixed since phpMyAdmin 4.9.8: * Fix a syntax error preventing use with PHP 5 * An error was shown regarding the new "hide_configuration_errors" directive when a controluser is set Fixed in phpMyAdmin 4.9.8: * Fix for a user potentially being able to disable their two factor authentication (PMASA-2022-1) * Add a new configuration directive $cfg['URLQueryEncryption'] to allow encrypting sensitive information in the URL to prevent disclosure. Thanks to Rich Grimes <https://twitter.com/saltycoder> for suggesting this improvement * Add a new configuration directive $cfg['Servers'][$i]['hide_connection_errors'] to allow hiding the full error message when a log on attempt fails, which can leak hostnames or IP addresses of the target database server. Thanks to Dr. Shuzhe Yang, Manager Security Governance at GLS IT Services for suggesting this improvement Note that the 5.1.2 has two known issues, the hide_connection_errors and an issue with the navigation pane. We are preparing fixes for those and will release version 5.1.3 separately. This is a reminder that phpMyAdmin 4.9 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.1. Downloads are available now at https://phpmyadmin.net/downloads/ For the phpMyAdmin team, Isaac

1 0

phpMyAdmin 4.9.8, 5.1.2, and 5.2.0-rc1 are released
by Isaac Bennetch 22 Jan '22

22 Jan '22

The phpMyAdmin project announces several new releases: * 4.9.8, which fixes some security flaws * 5.1.2, which fixes some security flaws and contains many bug fixes including better PHP 8.0 and 8.1 compatibility * 5.2.0-rc1, a testing version introducing many new features ## Security fixes (affected versions as noted) A flaw was identified in how phpMyAdmin processes two factor authentication; a user could potentially manipulate their account to bypass two factor authentication in subsequent authentication sessions (PMASA-2022-1) (affects both 4.9 and 5.1). A series of weaknesses was identified allowing a malicious user to submit malicious information to present an XSS or HTML injection attack in the graphical setup page (PMASA-2022-2) (affects 5.1 only; not 4.9). In some scenarios, potentially sensitive information such as a the database name can be part of the URL. This can now be optionally encrypted. There are two new configuration directives relating to this improvement: `$cfg['URLQueryEncryption']` and `$cfg['URLQueryEncryptionSecretKey']`. This encryption can be enabled by setting URLQueryEncryption to true in your `config.inc.php`. Thanks to Rich Grimes <https://twitter.com/saltycoder> for suggesting this improvement (affects both 4.9 and 5.1). During a failed log on attempt, the error message reveals the target database server's hostname or IP address. This can reveal some information about the network infrastructure to an attacker. This information can now be suppressed through the `$cfg['Servers'][$i]['hide_connection_errors']` directive. Thanks to Dr. Shuzhe Yang, Manager Security Governance at GLS IT Services for suggesting this improvement (affects both 4.9 and 5.1). ## Bug fixes (5.1.2 and 5.2.0-rc1) * Revert a changed to $cfg['CharTextareaRows'] allow values less than 7 * Fix encoding of enum and set values on edit value * Fixed possible "Undefined index: clause_is_unique" error * Fixed some situations where a user is logged out when working with more than one server * Fixed a problem with assigning privileges to a user using the multiselect list when the database name has an underscore * Enable cookie parameter "SameSite" when the PHP version is 7.3 or newer * Correctly handle the removal of "innodb_file_format" in MariaDB and MySQL ## New features (5.2.0-rc1) * Removed support for Microsoft Internet Explorer * Requires PHP 7.2 or newer * Requires the openssl PHP extension * Improved handling of system CA bundle and cacert.pem, falling back to Mozilla CA if needed * Replace "master/slave" terms with "primary/replica" * Add "NOT LIKE %...%" operator to Table search * Add support for the Mroonga engine * Add support for account locking * Several fixes and improvements to the SQL parser library There are, of course, many more fixes and new features that you can see in the ChangeLog file included with this release or online at <https://demo.phpmyadmin.net/master-config/index.php?route=/changelog> Downloads are available now at <https://phpmyadmin.net/downloads/> Isaac and the phpMyAdmin team

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

News January 2022