- News - lists.phpmyadmin.net

[Phpmyadmin-news] phpMyAdmin 2.6.2 is released
by Marc Delisle 17 Apr '05

17 Apr '05

_ __ __ _ _ _ _ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __ | "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \ | |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | | | .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_| |_| |_| |___/ 2.6.2 http://www.phpmyadmin.net phpMyAdmin 2.6.2 - April 16th, 2005 =================================== A set of PHP-scripts to administrate MySQL over the Web. -------------------------------------------------------- Announcement ------------ The phpMyAdmin Project is proud to announce the immediate availability of phpMyAdmin 2.6.2. Version 2.6.2 contains improvements for better MySQL 4.1 and 5.0 support, and a fix for a new security vulnerability. phpMyAdmin is a web administration tool for MySQL databases, intended to handle a whole database server as well as a single database. Over the years, it has become the most popular GUI for MySQL and is downloaded about 6,000 times a day, according to SourceForge.net. Highlights ---------- Note: If you are using the 'cookie' authentication type, please delete in your browser's data the cookies which relate to phpMyAdmin, before your first use of phpMyAdmin 2.6.2. Thanks to Dmitry Chorine for the information. Improvements: * MySQL 4.1.x native column comments * MySQL 5.0: Basic detection mechanism for views: o Views are no longer displayed as tables in use o Ability to drop views * MySQL 5.0: Interface fixes and hardcoded virtual relations for information_schema * MySQL 4.1: Better automatic detection for available storage engines * New storage engines overview page o Plugin-like infrastructure for storage engine status monitors o Overview of startup variables and current values o MySQL 5.0 / InnoDB: Buffer pool activity monitor * MySQL 4.1.2+ TIMESTAMP options * Export: Native Microsoft Word 2000 and Excel 2000 formats * PDF schema visual editor: column names now optional * MySQL 5.0.3 new Japanese charsets support (cp932, eucjpms) * Parser: added missing date and time MySQL functions * Documentation: explain all Export options handling * Cookie paths: added / to end of path * Show database comments at more places * Better use of print styles in themes * Bookmarks: sort by label, remove the number before each label * Better protection against possible collation conflicts and out-of-sync errors in PMADB queries * Relation view: removed pmadb-style comments handling (now available just on the Structure page) * FAQ about using HTTP authentication under IIS * New editions for some language files (especially ISO-8859-15) * (rc1) English messages improvements * (final) New language: belarusian Fixes: * Detection of SELECT query to display on multiple submits * PDF schema: missing header * A failed connection was not properly detected * Problem with Japanese language under MySQL 4.1.x * Export o Various errors under mysqli extension o SQL format under Safari browser o Do not offer export modes not available in current MySQL version * Changing the type of a FLOAT unsigned column * Adding field with collation * Calendar popup and TIMESTAMP field under MySQL 4.1.x * PHP 4.1.x: wrong parameter count (mcrypt.lib.php) * Problem when SHOW DATABASES is disabled * Copy table: commands out of sync * User management o Host not changing with editing user o Escaping character removed by error * MySQL 5.0.x: "No database selected" error * Print view: displaying of indexes * Cookie auth: error when blowfish_secret is empty * MySQL 4.1.2: "Reload MySQL" link not seen * MySQL 5 server binlog compatibility * PDF pages generation: wrong documentation * Inserted row id was not always correctly reported * (rc1) Do not offer unavailable collations * (rc1) XSS vulnerability on "convcharset" * (rc1) Do not allow to drop information_schema * (rc1) Undefined offset (on the left panel) * (rc1) Problem copying InnoDB table with foreign-key constraints to a table in the same database * (final) Problem editing a user's profile * (final) Error going from Export to Insert tab Detailed list of changes since version 2.2.0 is available under http://www.phpmyadmin.net/ChangeLog.txt Availability ------------ This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.phpmyadmin.net/ Available file formats are: .zip, .tar.gz and .tar.bz2. If you install phpMyAdmin on your system, it"s recommended to subscribe to the news mailing list by adding your address under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news This way, you will be informed of new updates and security fixes. It is a read only list, and traffic is not greater than a few mail every year. Support and Documentation ------------------------- The documentation is included in the software package as text and HTML file, but can also be downloaded from: http://www.phpmyadmin.net/documentation/ The software is provided as is without any express or implied warranty, but there is a bugs tracker page under: http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"] In addition, there are also a number of discussion lists related to phpMyAdmin. A list of mailing lists with archives is available at: http://sourceforge.net/mail/?group_id=23067 or http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"] Finally, an users support forum is also available under: http://sourceforge.net/forum/forum.php?forum_id=72909 Known bugs ---------- - phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters (bugs #593598, #936161). To be informed about new releases fixing these problems, please subscribe to the news mailing list under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news or regularly check the sourceforge bugs tracker. Donations --------- The project accepts donations to help improve the product. There is a "Donations" link on http://www.phpmyadmin.net. Description ----------- phpMyAdmin is intended to handle the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. Currently it can: - create, copy, rename and drop databases - create, copy, drop, rename and alter tables - do table maintenance - delete, edit and add fields - execute any SQL-statement, even batch-queries - manage keys on fields - load text files into tables - create and read dumps of tables - export data to CSV, XML and Latex formats - administer multiple servers - manage MySQL users and privileges - check referential integrity - using Query-by-example (QBE), create complex queries automatically connecting required tables - create PDF graphics of your Database layout - search globally in a database or a subset of it - communicate in 47 different languages Authors & Copyright ------------------- Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller..com> Copyright (C) 2001-2005 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca> Olivier Müller <om_at_omnis.ch> Robin Johnson <robbat2_at_users.sourceforge.net> Alexander M. Turek <me_at_derrabus.de> Michal Cihar <michal_at_cihar.com> Garvin Hicking <me_at_supergarv.de> Marcel Tschopp <ne0x_at_users.sourceforge..net> + many other people (check the CREDITS section of our documentation) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Marc Delisle/ 2005-04-16

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.2-rc1 is released
by Marc Delisle 04 Apr '05

04 Apr '05

_ __ __ _ _ _ _ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __ | "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \ | |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | | | .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_| |_| |_| |___/ 2.6.2-rc1 http://www.phpmyadmin.net phpMyAdmin 2.6.2-rc1 - April 3rd, 2005 ====================================== A set of PHP-scripts to administrate MySQL over the Web. -------------------------------------------------------- Announcement ------------ The phpMyAdmin Project is proud to announce the immediate availability of the first release candidate of phpMyAdmin 2.6.2. Version 2.6.2 contains improvements for better MySQL 4.1 and 5.0 support, and a fix for a new security vulnerability. phpMyAdmin is a web administration tool for MySQL databases, intended to handle a whole database server as well as a single database. Over the years, it has become the most popular GUI for MySQL and is downloaded about 6,000 times a day, according to SourceForge.net. The highlights of this release in detail: Highlights ---------- Improvements: * MySQL 4.1.x native column comments * MySQL 5.0: Basic detection mechanism for views: o Views are no longer displayed as tables in use o Ability to drop views * MySQL 5.0: Interface fixes and hardcoded virtual relations for information_schema * MySQL 4.1: Better automatic detection for available storage engines * New storage engines overview page o Plugin-like infrastructure for storage engine status monitors o Overview of startup variables and current values o MySQL 5.0 / InnoDB: Buffer pool activity monitor * MySQL 4.1.2+ TIMESTAMP options * Export: Native Microsoft Word 2000 and Excel 2000 formats * PDF schema visual editor: column names now optional * MySQL 5.0.3 new Japanese charsets support (cp932, eucjpms) * Parser: added missing date and time MySQL functions * Documentation: explain all Export options handling * Cookie paths: added / to end of path * Show database comments at more places * Better use of print styles in themes * Bookmarks: sort by label, remove the number before each label * Better protection against possible collation conflicts and out-of-sync errors in PMADB queries * Relation view: removed pmadb-style comments handling (now available just on the Structure page) * FAQ about using HTTP authentication under IIS * New editions for some language files (especially ISO-8859-15) * (rc1) English messages improvements Fixes: * Detection of SELECT query to display on multiple submits * PDF schema: missing header * A failed connection was not properly detected * Problem with Japanese language under MySQL 4.1.x * Export o Various errors under mysqli extension o SQL format under Safari browser o Do not offer export modes not available in current MySQL version * Changing the type of a FLOAT unsigned column * Adding field with collation * Calendar popup and TIMESTAMP field under MySQL 4.1.x * PHP 4.1.x: wrong parameter count (mcrypt.lib.php) * Problem when SHOW DATABASES is disabled * Copy table: commands out of sync * User management o Host not changing with editing user o Escaping character removed by error * MySQL 5.0.x: "No database selected" error * Print view: displaying of indexes * Cookie auth: error when blowfish_secret is empty * MySQL 4.1.2: "Reload MySQL" link not seen * MySQL 5 server binlog compatibility * PDF pages generation: wrong documentation * Inserted row id was not always correctly reported * (rc1) Do not offer unavailable collations * (rc1) XSS vulnerability on "convcharset" * (rc1) Do not allow to drop information_schema * (rc1) Undefined offset (on the left panel) * (rc1) Problem copying InnoDB table with foreign-key constraints to a table in the same database Detailed list of changes since version 2.2.0 is available under http://www.phpmyadmin.net/ChangeLog.txt Availability ------------ This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.phpmyadmin.net/ Available file formats are: .zip, .tar.gz and .tar.bz2. If you install phpMyAdmin on your system, it"s recommended to subscribe to the news mailing list by adding your address under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news This way, you will be informed of new updates and security fixes. It is a read only list, and traffic is not greater than a few mail every year. Support and Documentation ------------------------- The documentation is included in the software package as text and HTML file, but can also be downloaded from: http://www.phpmyadmin.net/documentation/ The software is provided as is without any express or implied warranty, but there is a bugs tracker page under: http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"] In addition, there are also a number of discussion lists related to phpMyAdmin. A list of mailing lists with archives is available at: http://sourceforge.net/mail/?group_id=23067 or http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"] Finally, an users support forum is also available under: http://sourceforge.net/forum/forum.php?forum_id=72909 Known bugs ---------- - phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters (bugs #593598, #936161). To be informed about new releases fixing these problems, please subscribe to the news mailing list under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news or regularly check the sourceforge bugs tracker. Donations --------- The project accepts donations to help improve the product. There is a "Donations" link on http://www.phpmyadmin.net. Description ----------- phpMyAdmin is intended to handle the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. Currently it can: - create, copy, rename and drop databases - create, copy, drop, rename and alter tables - do table maintenance - delete, edit and add fields - execute any SQL-statement, even batch-queries - manage keys on fields - load text files into tables - create and read dumps of tables - export data to CSV, XML and Latex formats - administer multiple servers - manage MySQL users and privileges - check referential integrity - using Query-by-example (QBE), create complex queries automatically connecting required tables - create PDF graphics of your Database layout - search globally in a database or a subset of it - communicate in 47 different languages Authors & Copyright ------------------- Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller..com> Copyright (C) 2001-2005 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca> Olivier Müller <om_at_omnis.ch> Robin Johnson <robbat2_at_users.sourceforge.net> Alexander M. Turek <me_at_derrabus.de> Michal Cihar <michal_at_cihar.com> Garvin Hicking <me_at_supergarv.de> Marcel Tschopp <ne0x_at_users.sourceforge..net> + many other people (check the CREDITS section of our documentation) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Marc Delisle/ 2005-04-03

1 0

[Phpmyadmin-news] phpMyAdmin security alert PMASA-2005-3
by Marc Delisle 04 Apr '05

04 Apr '05

phpMyAdmin security announcement PMASA-2005-3 Announcement-ID: PMASA-2005-3 Date: 2005-04-03 Summary: Cross-Site Scripting vulnerability Description: We received a security advisory from Oriol Torrent Santiago and we wish to thank him for his work and report. The convcharset parameter was not correctly validated, opening the door to a XSS attack. Severity: We consider this vulnerability to be serious. Affected versions: Probably all phpMyAdmin versions before 2.6.2-rc1. Solution: Upgrade to phpMyAdmin 2.6.2-rc1 or newer. References: http://www.arrelnet.com/advisories/adv20050403.html For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1-pl3 is released
by Marc Delisle 06 Mar '05

06 Mar '05

Hi, Here is patch level 3 for phpMyAdmin 2.6.1. It fixes a problem introduced in -pl2: can no longer update a field whose name starts with "str". Also included, a fix for the privileges management module: escaping of the "_" character was not properly done, giving a wildcard privilege when editing db-specific privileges with phpMyAdmin. Details at http://www.phpmyadmin.net Marc Delisle, for the team

1 0

[Phpmyadmin-news] phpMyAdmin: 2 new security alerts
by Marc Delisle 27 Feb '05

27 Feb '05

Hi, Please refer to our security page http://www.phpmyadmin.net/home_page/security.php for the alerts PMASA-2005-1 and PMASA-2005-2. Marc Delisle, for the team.

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1-pl2 is released
by Marc Delisle 24 Feb '05

24 Feb '05

Hi, We are sorry to report that the release of 2.6.1-pl1 introduced an instability, producing various problems. This has been fixed, and here is 2.6.1-pl2. See http://www.phpmyadmin.net. Marc Delisle, for the team

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1-pl1 is released
by Marc Delisle 24 Feb '05

24 Feb '05

Hi, Patch level 1 of phpMyAdmin 2.6.1 fixes some security problems, along with a few other bugs. A more formal security alert will be posted when ready. Meanwhile, the phpMyAdmin development team strongly advises an upgrade to phpMyAdmin 2.6.1-pl1, and to also apply the following security measures on your PHP installation (if feasible) by modifying your php.ini configuration file (or virtual host settings): - set register_globals to Off - set display_errors to Off - set log_errors to On - define the path to your error log with the error_log directive Both settings are recommended in the PHP documentation on a server running in production. For example: http://www.php.net/manual/en/security.errors.php However, we suggest you review the impact of those changes before applying them. Meanwhile, work continues on the development version 2.6.2. Marc Delisle, for the team.

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1 is released
by Marc Delisle 24 Jan '05

24 Jan '05

_ __ __ _ _ _ _ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __ | "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \ | |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | | | .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_| |_| |_| |___/ 2.6.1 http://www.phpmyadmin.net phpMyAdmin 2.6.1 - January 23rd, 2005 ===================================== A set of PHP-scripts to administrate MySQL over the Web. -------------------------------------------------------- Announcement ------------ The phpMyAdmin Project is proud to announce the immediate availability of phpMyAdmin 2.6.1. Almost four months have passed since 2.6.0, although three patch releases were made to take care of several security alerts we received. In 2.6.1 there are two more security fixes. As a consequence of one of these fixes, if you want to use MIME-based external transformations you have to use a PHP version of 4.3.0 or later. A major speed improvement for users of the "cookie" authentication type is included starting from 2.6.1-rc1, but you must be running on a Web server with the mcrypt PHP module. Another improvement worth mentionning, which relates to a new feature offered on MySQL 4.1.2+: on multi-user installations, the control user no longer needs to have any rights to the "mysql" db. It is now only used to access the linked-tables infrastructure (pmadb). phpMyAdmin is a web administration tool for MySQL databases, intended to handle a whole database server as well as a single database. Over the years, it has become the most popular GUI for MySQL and is downloaded about 6,000 times a day, according to SourceForge.net. The highlights of this release in detail: Highlights ---------- Upgrade note: * Using external transformations now requires PHP > 4.3.0 Improvements: * Major speed improvement (if using auth_type = 'cookie') by using the mcrypt library (if available on your system) * Improved wording when adding fields * (mysqli) support for compressed protocol and CLIENT_LOCAL_FILES * Clickable active server in left panel * Improved ANSI mode in various scripts * Hints added (light bulb) * Database copying * New Database Operations tab: note that many db operations have been moved here, including the PDF schema generation dialog * Optional simple blocking of root login * Binary log display * Index creating on multiple fields * Improved displaying of messages below tabs * Handle MySQL "duplicate entry" error * User list: top index for user initials * Support for OLD_PASSWORD() function * Under MySQL 4.1.2+, we no longer need the control user to have rights over the "mysql" db * New checks for common index problems * Upload: show filename of uploaded file * Improved page selector when browsing foreign table values * Improved handling of InnoDB constraints * Speed up display for left panel with PMA infrastructure is used * New message "no activity..." * Support of keywords NAMES and VIEW * Can now edit next entry (based on the next numeric primary key) * New warnings related to the use of mbstring * Improved navigation in calendar * Export: selectable SQL compatibility * PDF schema: added support for output in UTF-8 Fixes: * Security fix against some crafted data allowing arbitrary program execution (if PHP safe mode is off and external transformations are activated) * Security fix against a possible attack on read_dump.php (if PHP safe mode is off) * Incorrect appending of LIMIT to queries * Export: insufficient space to save * Export: convert end of line chars we get from MySQL * Wrong double column sort (with JOIN) * Export: (mysqli) some fields wrongly exported as BINARY * Illegal mix of collations for converted strings * Wrong tabbing from value to value * Allow work on temporary tables * UNIX_TIMESTAMP and optional parameter * Export: improved zip headers * 0 as field name caused problems * Incorrect handling when no default server defined * Export: Use just for SQL exports * Comments and multi-table selects * Security: deactivate the list of programs for external transformations * Incorrect handling of OFFSET * Better displaying of table-specific privileges for a db containing an escaped character * Since 2.6.0-pl3, connecting on a non-standard HTTP port did not work * Do not catch Alt and Shift keys * Do not duplicate constraints when exporting multiple databases * Illegal length for LONGTEXT * Moving/copying a table: problem with constraints copying * Reloading frame on multiple queries * Collations on non-text fields * Use standardized MIME type for gzip/bzip2 * Problem with field names like 000 * Timestamps problem under MySQL 4.1.x * Support Option key for field moving in Safari * Error when adding a FLOAT field under MySQL 4.1.x * Headers sent on invalid login * Wrong treatment of MySQL error 1060 * Problem in bookmark logic when using MySQLi Detailed list of changes since version 2.2.0 is available under http://www.phpmyadmin.net/ChangeLog.txt Availability ------------ This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.phpmyadmin.net/ Available file formats are: .zip, .tar.gz and .tar.bz2. If you install phpMyAdmin on your system, it"s recommended to subscribe to the news mailing list by adding your address under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news This way, you will be informed of new updates and security fixes. It is a read only list, and traffic is not greater than a few mail every year. Support and Documentation ------------------------- The documentation is included in the software package as text and HTML file, but can also be downloaded from: http://www.phpmyadmin.net/documentation/ The software is provided as is without any express or implied warranty, but there is a bugs tracker page under: http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"] In addition, there are also a number of discussion lists related to phpMyAdmin. A list of mailing lists with archives is available at: http://sourceforge.net/mail/?group_id=23067 or http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"] Finally, an users support forum is also available under: http://sourceforge.net/forum/forum.php?forum_id=72909 Known bugs ---------- - phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters (bugs #593598, #936161). To be informed about new releases fixing these problems, please subscribe to the news mailing list under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news or regularly check the sourceforge bugs tracker. Donations --------- The project accepts donations to help improve the product. There is a "Donations" link on http://www.phpmyadmin.net. Description ----------- phpMyAdmin is intended to handle the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. Currently it can: - create, copy and drop databases - create, copy, drop, rename and alter tables - do table maintenance - delete, edit and add fields - execute any SQL-statement, even batch-queries - manage keys on fields - load text files into tables - create and read dumps of tables - export data to CSV, XML and Latex formats - administer multiple servers - manage MySQL users and privileges - check referential integrity - using Query-by-example (QBE), create complex queries automatically connecting required tables - create PDF graphics of your Database layout - search globally in a database or a subset of it - communicate in 47 different languages Authors & Copyright ------------------- Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com> Copyright (C) 2001-2005 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca> Olivier Müller <om_at_omnis.ch> Robin Johnson <robbat2_at_users.sourceforge.net> Alexander M. Turek <me_at_derrabus.de> Michal Cihar <michal_at_cihar.com> Garvin Hicking <me_at_supergarv.de> Marcel Tschopp <ne0x_at_users.sourceforge.net> + many other people (check the CREDITS section of our documentation) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Marc Delisle/ 2005-01-23

1 0

[Phpmyadmin-news] phpMyAdmin 2.6.1-rc2 is released
by Marc Delisle 09 Jan '05

09 Jan '05

_ __ __ _ _ _ _ __ | |__ _ __ | \/ |_ _ / \ __| |_ __ ___ (_)_ __ | "_ \| "_ \| "_ \| |\/| | | | | / _ \ / _` | "_ ` _ \| | "_ \ | |_) | | | | |_) | | | | |_| |/ ___ \ (_| | | | | | | | | | | | .__/|_| |_| .__/|_| |_|\__, /_/ \_\__,_|_| |_| |_|_|_| |_| |_| |_| |___/ 2.6.1-rc2 http://www.phpmyadmin.net phpMyAdmin 2.6.1-rc2 - January 9th, 2005 ======================================== A set of PHP-scripts to administrate MySQL over the Web. -------------------------------------------------------- Announcement ------------ The phpMyAdmin Project is proud to announce the immediate availability of the second release candidate of phpMyAdmin 2.6.1. Almost four months have passed since 2.6.0, although three patch releases were made to take care of several security alerts we received. In 2.6.1 there are two more security fixes. As a consequence of one of these fixes, if you want to use MIME-based external transformations you have to use a PHP version of 4.3.0 or later. A big speed improvement for users of the "cookie" authentication type is included starting from 2.6.1-rc1, but you must be running on a Web server with the mcrypt PHP module. Another improvement worth mentionning, which relates to a new feature offered on MySQL 4.1.2+: on multi-user installations, the control user no longer needs to have any rights to the "mysql" db. It is now only used to access the linked-tables infrastructure (pmadb). Please note that it is not recommended to run this testing release on production environments. phpMyAdmin is a web administration tool for MySQL databases, intended to handle a whole database server as well as a single database. Over the years, it has become the most popular GUI for MySQL and is downloaded about 6,000 times a day, according to SourceForge.net. The highlights of this release in detail: Highlights ---------- Upgrade note: * Using external transformations now requires PHP > 4.3.0 Improvements: * Big speed improvement (if using auth_type = 'cookie') by using the mcrypt library (if available on your system) * Improved wording when adding fields * (mysqli) support for compressed protocol and CLIENT_LOCAL_FILES * Clickable active server in left panel * Improved ANSI mode in various scripts * Hints added (light bulb) * Database copying * New Database Operations tab: note that many db operations have been moved here, including the PDF schema generation dialog * Optional simple blocking of root login * Binary log display * Index creating on multiple fields * Improved displaying of messages below tabs * Handle MySQL "duplicate entry" error * User list: top index for user initials * Support for OLD_PASSWORD() function * Under MySQL 4.1.2+, we no longer need the control user to have rights over the "mysql" db * New checks for common index problems * Upload: show filename of uploaded file * Improved page selector when browsing foreign table values * Improved handling of InnoDB constraints * Speed up display for left panel with PMA infrastructure is used * New message "no activity..." * Support of keywords NAMES and VIEW * Can now edit next entry (based on the next numeric primary key) * New warnings related to the use of mbstring * Improved navigation in calendar * Export: selectable SQL compatibility * PDF schema: added support for output in UTF-8 Fixes: * Security fix against some crafted data allowing arbitrary program execution (if PHP safe mode is off and external transformations are activated) * Security fix against a possible attack on read_dump.php (if PHP safe mode is off) * Incorrect appending of LIMIT to queries * Export: insufficient space to save * Export: convert end of line chars we get from MySQL * Wrong double column sort (with JOIN) * Export: (mysqli) some fields wrongly exported as BINARY * Illegal mix of collations for converted strings * Wrong tabbing from value to value * Allow work on temporary tables * UNIX_TIMESTAMP and optional parameter * Export: improved zip headers * 0 as field name caused problems * Incorrect handling when no default server defined * Export: Use just for SQL exports * Comments and multi-table selects * Security: deactivate the list of programs for external transformations * Incorrect handling of OFFSET * Better displaying of table-specific privileges for a db containing an escaped character * Since 2.6.0-pl3, connecting on a non-standard HTTP port did not work * Do not catch Alt and Shift keys * Do not duplicate constraints when exporting multiple databases * Illegal length for LONGTEXT * Moving/copying a table: problem with constraints copying * Reloading frame on multiple queries * Collations on non-text fields * Use standardized MIME type for gzip/bzip2 * Problem with field names like 000 * Timestamps problem under MySQL 4.1.x * Support Option key for field moving in Safari * Error when adding a FLOAT field under MySQL 4.1.x Detailed list of changes since version 2.2.0 is available under http://www.phpmyadmin.net/ChangeLog.txt Availability ------------ This software is available under the GNU General Public License V2.0. You can get the newest version at http://www.phpmyadmin.net/ Available file formats are: .zip, .tar.gz and .tar.bz2. If you install phpMyAdmin on your system, it"s recommended to subscribe to the news mailing list by adding your address under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news This way, you will be informed of new updates and security fixes. It is a read only list, and traffic is not greater than a few mail every year. Support and Documentation ------------------------- The documentation is included in the software package as text and HTML file, but can also be downloaded from: http://www.phpmyadmin.net/documentation/ The software is provided as is without any express or implied warranty, but there is a bugs tracker page under: http://sourceforge.net/projects/phpmyadmin/ [click on "Bugs"] In addition, there are also a number of discussion lists related to phpMyAdmin. A list of mailing lists with archives is available at: http://sourceforge.net/mail/?group_id=23067 or http://sourceforge.net/projects/phpmyadmin/ [click on "Lists"] Finally, an users support forum is also available under: http://sourceforge.net/forum/forum.php?forum_id=72909 Known bugs ---------- - phpMyAdmin SQL parser chokes on fieldnames with certain non-ASCII characters (bugs #593598, #936161). To be informed about new releases fixing these problems, please subscribe to the news mailing list under http://lists.sourceforge.net/lists/listinfo/phpmyadmin-news or regularly check the sourceforge bugs tracker. Donations --------- The project accepts donations to help improve the product. There is a "Donations" link on http://www.phpmyadmin.net. Description ----------- phpMyAdmin is intended to handle the administration of MySQL over the Web. It can manage a whole MySQL server as well as a single database. Currently it can: - create, copy and drop databases - create, copy, drop, rename and alter tables - do table maintenance - delete, edit and add fields - execute any SQL-statement, even batch-queries - manage keys on fields - load text files into tables - create and read dumps of tables - export data to CSV, XML and Latex formats - administer multiple servers - manage MySQL users and privileges - check referential integrity - using Query-by-example (QBE), create complex queries automatically connecting required tables - create PDF graphics of your Database layout - search globally in a database or a subset of it - communicate in 47 different languages Authors & Copyright ------------------- Copyright (C) 1998-2000 Tobias Ratschiller <tobias_at_ratschiller.com> Copyright (C) 2001-2004 Marc Delisle <DelislMa_at_CollegeSherbrooke.qc.ca> Olivier Müller <om_at_omnis.ch> Robin Johnson <robbat2_at_users.sourceforge.net> Alexander M. Turek <me_at_derrabus.de> Michal Cihar <michal_at_cihar.com> Garvin Hicking <me_at_supergarv.de> Marcel Tschopp <ne0x_at_users.sourceforge.net> + many other people (check the CREDITS section of our documentation) This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Marc Delisle/ 2005-01-09

1 0

[Phpmyadmin-news] phpMyAdmin security alert (PMASA-2004-4)
by Marc Delisle 13 Dec '04

13 Dec '04

phpMyAdmin security announcement _________________________________________________________________ Announcement-ID: PMASA-2004-4 Date: 2004-12-13 Summary: Two vulnerabilities were found in phpMyAdmin, that may allow command execution and file disclosure. Description: We received a security advisory from Nicolas Gregoire (exaprobe.com) about those vulnerabilities and we wish to thank him for his work. Both vulnerabilites can be exploited only on a web server where PHP safe mode is off. The vulnerabilities apply to those points: 1. Command execution: since phpMyAdmin 2.6.0-pl2, on a system where external MIME-based transformations are activated, an attacker can put into MySQL data an offensive value that starts a shell command when browsed. 2. File disclosure: on systems where the UploadDir mecanism is active, read_dump.php can be called with a crafted form; using the fact that the sql_localfile variable is not sanitized can lead to a file disclosure. Severity: As any of those vulnerabilites can be used for command execution or file disclosure, we consider them to be serious (on servers where PHP safe mode is off). Affected versions: Command execution problem: since phpMyAdmin 2.6.0-pl2. File disclosure problem: vulnerable since at least version 2.4.0. Unaffected versions: CVS HEAD has been fixed. The 2.6.1-rc1 release. Solution: We strongly advise everyone to upgrade to version 2.6.1 when released. Meanwhile, setting PHP safe mode to on avoids those problems. If not feasible, you should deactivate MIME-based external transformations and the UploadDir mecanism. Reference: http://www.exaprobe.com/labs/advisories/esa-2004-1213.html For further information and in case of questions, please contact the phpMyAdmin team. Our website is http://www.phpmyadmin.net/.

1 0