From 98777dc65f14d31fef553f56a987b56f950c2caaffc54d355c4fc3650be7f7bf Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Thu, 18 Aug 2016 14:48:55 +0000 Subject: [PATCH] Accepting request 419986 from home:computersalat:devel:php update to 4.6.4, fix for boo#994313 OBS-URL: https://build.opensuse.org/request/show/419986 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=264 --- phpMyAdmin-4.6.3-all-languages.tar.xz | 3 - phpMyAdmin-4.6.3-all-languages.tar.xz.asc | 17 ---- phpMyAdmin-4.6.4-all-languages.tar.xz | 3 + phpMyAdmin-4.6.4-all-languages.tar.xz.asc | 17 ++++ phpMyAdmin-config.patch | 6 +- phpMyAdmin-pma.patch | 12 +++ phpMyAdmin.changes | 104 ++++++++++++++++++++++ phpMyAdmin.keyring | 50 ++++++++++- phpMyAdmin.spec | 3 +- 9 files changed, 188 insertions(+), 27 deletions(-) delete mode 100644 phpMyAdmin-4.6.3-all-languages.tar.xz delete mode 100644 phpMyAdmin-4.6.3-all-languages.tar.xz.asc create mode 100644 phpMyAdmin-4.6.4-all-languages.tar.xz create mode 100644 phpMyAdmin-4.6.4-all-languages.tar.xz.asc diff --git a/phpMyAdmin-4.6.3-all-languages.tar.xz b/phpMyAdmin-4.6.3-all-languages.tar.xz deleted file mode 100644 index 4ebfbad..0000000 --- a/phpMyAdmin-4.6.3-all-languages.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:943bad38a95f21bb015bdb78c9c067e0ea7510c1b35d4b8e757cb89c413e3bac -size 6111852 diff --git a/phpMyAdmin-4.6.3-all-languages.tar.xz.asc b/phpMyAdmin-4.6.3-all-languages.tar.xz.asc deleted file mode 100644 index cf613d7..0000000 --- a/phpMyAdmin-4.6.3-all-languages.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABAgAGBQJXa2bfAAoJEM51LxeCWb2SjXkP/jvbhg55etnApcymsTWy72Ho -7BVvVlRmNdCISs8S2yuh8D417B9WDUGh4YLVu8gv+W0gd+/wUMY1D+WKmAgPJOBh -+Kb+gOMJ9YpGVdCSRpIvtQCyZPxGOAOPM552VfU5+seVOB9InxJAI2jKqVeVDp3Z -j4dQVsp8BRVe3Fe/s2d85L+KaNaQefjehiOhNsIJ2II6mKPHgIECtFkKSBxqoiyx -QpaucMiC6Oivuv3ucGuWc0wfDRbBeSl9zec3t2guikP0rPQORnAxs/xpUGASWmje -Rki8QBcDxePDH62VGRV7Zf0dJfeekZON/aXY/DX3oeAoePACisjyslFZk1S2+yuN -+4NDpRm7Wlq8ZFtlqD5JWfjf+JVj2pAHwKidDDH2Mv+kLTExRefIjFLxGnHU6hVv -Ee8jenDNJpy//JEwRInM3gi63CK0PTJMWAqVQ2OYb3PS9ic/yELQ3amlvnOHfCUF -+e7b3+HWzonV9MkAwkQhAwtmuXNo5/ykwKLCLc0cWGuUI8iAsGdOSKVFFI6WBQL9 -6JepwARr5Ej8Ah/0LI691EKoR3OWEXvRxD2wrZHqlpBQvN0vuy5+/2ZWz17JiYXE -oYoAuE81B4T3k/epy30gR1qThysRyEYMSZ3ekbwLAZDKeeUovBmLq1Fn6TKJfDYe -InisFtPxTLTWY5WuGYXV -=+16s ------END PGP SIGNATURE----- diff --git a/phpMyAdmin-4.6.4-all-languages.tar.xz b/phpMyAdmin-4.6.4-all-languages.tar.xz new file mode 100644 index 0000000..5f7c6db --- /dev/null +++ b/phpMyAdmin-4.6.4-all-languages.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:f2ea32a2971efcab073ad41b6512475af1b6da70cf800a5586a12cf49797d319 +size 6137016 diff --git a/phpMyAdmin-4.6.4-all-languages.tar.xz.asc b/phpMyAdmin-4.6.4-all-languages.tar.xz.asc new file mode 100644 index 0000000..c0613f6 --- /dev/null +++ b/phpMyAdmin-4.6.4-all-languages.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJXs39QAAoJEM51LxeCWb2SSBwP/0HKUrPc0D0fLydNQYUPHJpO +nyf7qeEqdYuTezYVbamJePUSY5gCNMGTDh3RFZ9C0WrWqPnGNKX170Hjb4Hl00id ++bxVtn61sR+Fx0S1kZlgg1cVk60xrzKXTluh/3A+fYSv3rCjhjKgMODPNIF3nnjN +ev5UKHrD93laaF9j+y6eKnliW/NAWWdENbHFJVA4LCGCJrBKtLGukGKMuYmuAs9o +QJBtiBkxkUfKKGc/FE6Nr5Y+Pxd7FXl3DT/uGo0PRofrQYwA8TlQ7EWzY+LVxG89 +pPwUc8JEutZALB4x50DLh8Sld4IR88O5khZE6Lc1v/HLyPle9wA5+FYQ7lUYpfIt +ZH1RrEiEljWLiuoOeiohA23wjAkGkjwfycNRh3iXPVnCFtXjsmyK+CuxTPbP+Zxg +AwYnIE2G6QX5R3kAATqce4h7I4ufv6/zIIVe/UgzgBDOeZ75iXZNyiMvwePuWH+r +7aCd5C/yl1wZba9gGhUumKXY7/FGfbNN71PeoRrRy/hr+0Q8VOhMCAkw89eGGp+p +p6bFP22pzNacStVSGnFi4fuSNKIcNXoyKBR8TsTOEhdMghi0Sa/SU+8jrtEaxLr9 +OmzxNuGE9PVyRMz/5Yf63gokM6oAHzOo87qg2mXOVy0FDPNQqMRKxdkYDWMHJyxc +GYHrXIizpGQIR+Ih9/x2 +=lR6c +-----END PGP SIGNATURE----- diff --git a/phpMyAdmin-config.patch b/phpMyAdmin-config.patch index 4095e24..bfefb96 100644 --- a/phpMyAdmin-config.patch +++ b/phpMyAdmin-config.patch @@ -45,7 +45,7 @@ Index: config.sample.inc.php + +/** * This is needed for cookie based authentication to encrypt password in - * cookie + * cookie. Needs to be 32 chars long. + * + * YOU MUST FILL IN THIS FOR COOKIE AUTH! */ @@ -60,7 +60,7 @@ Index: config.sample.inc.php */ $i = 0; -@@ -25,47 +68,155 @@ $i = 0; +@@ -25,45 +68,155 @@ $i = 0; * First server */ $i++; @@ -127,8 +127,6 @@ Index: config.sample.inc.php -// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; -// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; --/* Contrib / Swekey authentication */ --// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; +$cfg['Servers'][$i]['controlhost'] = 'localhost'; +$cfg['Servers'][$i]['controlport'] = ''; +/* diff --git a/phpMyAdmin-pma.patch b/phpMyAdmin-pma.patch index 937f1b1..5862025 100644 --- a/phpMyAdmin-pma.patch +++ b/phpMyAdmin-pma.patch @@ -13,3 +13,15 @@ Index: sql/create_tables.sql -- -------------------------------------------------------- +Index: config.sample.inc.php +=================================================================== +--- config.sample.inc.php.orig ++++ config.sample.inc.php +@@ -202,7 +202,6 @@ $cfg['Servers'][$i]['savedsearches'] + $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; + $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; + $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; +-$cfg['Servers'][$i]['auth_swekey_config'] = ''; + */ + + /** diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes index 6f33fb2..4f65ab9 100644 --- a/phpMyAdmin.changes +++ b/phpMyAdmin.changes @@ -1,3 +1,107 @@ +------------------------------------------------------------------- +Thu Aug 18 13:31:57 UTC 2016 - chris@computersalat.de + +- 4.6.4 (2016-08-16) + - securitiy fixes + * Improve session cookie code for openid.php and signon.php example + files + * Full path disclosure in openid.php and signon.php example files + * Unsafe generation of BlowfishSecret (when not supplied by the user) + * Referrer leak when phpinfo is enabled + * Use HTTPS for wiki links + * Improve SSL certificate handling + * Fix full path disclosure in debugging code + * Administrators could trigger SQL injection attack against users + - other fixes + * Remove Swekey support + * Include X-Robots-Tag header in responses + * Enforce numeric field length when creating table + * Fixed invalid Content-Length in some HTTP responses + * gh#12394 Create view should require a view name + * gh#12391 Message with 'Change password successfully' displayed, + but does not take effect + * Tighten control on PHP sessions and session cookies + * gh#12409 Re-enable overhead on server databases view + * gh#12414 Fixed rendering of Original theme + * gh#12413 Fixed deleting users in non English locales + * gh#12416 Fixed replication status output in Databases listing + * gh#12303 Avoid typecasting to float when not needed + * gh#12425 Duplicate message variable names in messages.inc.php + * gh#12399 Adding index to table shows wrong top navigation + * gh#12424 Fixed password change on MariaDB without auth plugin + * gh#12339 Do not error on unset server port + * gh#12422 Improvements to the original theme + * gh#12395 Do not try to load old transformation plugins + * gh#12423 Fixed replication status in database listing + * gh#12433 Copy table with prefix does not copy the indexes + * gh#12375 Search in database: Window content is not scrolling down + when clicking first time on Browse link + * gh#12346 SQL Editor textareas can have their size increased from + the top, distorting the page view +- fix for boo#994313 + https://www.phpmyadmin.net/security/ + * Weaknesses with cookie encryption + see PMASA-2016-29 (CVE-2016-6606, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-30 (CVE-2016-6607, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-31 (CVE-2016-6608, CWE-661) + * PHP code injection + see PMASA-2016-32 (CVE-2016-6609, CWE-661) + * Full path disclosure + see PMASA-2016-33 (CVE-2016-6610, CWE-661) + * SQL injection attack + see PMASA-2016-34 (CVE-2016-6611, CWE-661) + * Local file exposure through LOAD DATA LOCAL INFILE + see PMASA-2016-35 (CVE-2016-6612, CWE-661) + * Local file exposure through symlinks with UploadDir + see PMASA-2016-36 (CVE-2016-6613, CWE-661) + * Path traversal with SaveDir and UploadDir + see PMASA-2016-37 (CVE-2016-6614, CWE-661) + * Multiple XSS vulnerabilities + see PMASA-2016-38 (CVE-2016-6615, CWE-661) + * SQL injection vulnerability as control user + see PMASA-2016-39 (CVE-2016-6616, CWE-661) + * SQL injection vulnerability + see PMASA-2016-40 (CVE-2016-6617, CWE-661) + * Denial-of-service attack through transformation feature + see PMASA-2016-41 (CVE-2016-6618, CWE-661) + * SQL injection vulnerability as control user + see PMASA-2016-42 (CVE-2016-6619, CWE-661) + * Verify data before unserializing + see PMASA-2016-43 (CVE-2016-6620, CWE-661) + * SSRF in setup script + see PMASA-2016-44 (CVE-2016-6621, CWE-661) + * Denial-of-service attack with + $cfg['AllowArbitraryServer'] = true and persistent connections + see PMASA-2016-45 (CVE-2016-6622, CWE-661) + * Denial-of-service attack by using for loops + see PMASA-2016-46 (CVE-2016-6623, CWE-661) + * Possible circumvention of IP-based allow/deny rules with IPv6 and + proxy server + see PMASA-2016-47 (CVE-2016-6624, CWE-661) + * Detect if user is logged in + see PMASA-2016-48 (CVE-2016-6625, CWE-661) + * Bypass URL redirection protection + see PMASA-2016-49 (CVE-2016-6626, CWE-661) + * Referrer leak + see PMASA-2016-50 (CVE-2016-6627, CWE-661) + * Reflected File Download + see PMASA-2016-51 (CVE-2016-6628, CWE-661) + * ArbitraryServerRegexp bypass + see PMASA-2016-52 (CVE-2016-6629, CWE-661) + * Denial-of-service attack by entering long password + see PMASA-2016-53 (CVE-2016-6630, CWE-661) + * Remote code execution vulnerability when running as CGI + see PMASA-2016-54 (CVE-2016-6631, CWE-661) + * Denial-of-service attack when PHP uses dbase extension + see PMASA-2016-55 (CVE-2016-6632, CWE-661) + * Remove tode execution vulnerability when PHP uses dbase extension + see PMASA-2016-56 (CVE-2016-6633, CWE-661) +- fix deps + * add missing php-gettext +- rebase phpMyAdmin-config.patch + ------------------------------------------------------------------- Thu Jun 23 12:10:01 UTC 2016 - chris@computersalat.de diff --git a/phpMyAdmin.keyring b/phpMyAdmin.keyring index 6b8d09f..877c486 100644 --- a/phpMyAdmin.keyring +++ b/phpMyAdmin.keyring @@ -479,6 +479,52 @@ pvy4/CS81cG0yI0NjDLAIbe3Lxoycn7ci4Ce+69XU5sdUa9upoyqzkMgZt8VkBtK nuNOb0hz/9EA42nix1i+nNM9tLJeSk6xuU5iBmILJECR9Ku12BFrn+IVdD5eElh/ 3E7gABPIVgtr+XfPKf4rkK2G0C8rap+SlSsV6yl4ERtjPuHKPfPNtPnEIOSb2Vjr kca1ZiPiutsGnQFyjEks7cMYc09UMRa7G3wejSU4pR7HrrgvNk0egcO/zh/Sew59 -gdi0WntFEdmqB431mw== -=sUWP +gdi0WntFEdmqB431m5kCDQRXoKIiARAAzBwbBui7mxdMbRUNKi7zQvEUo3iflJp+ +YcIDXaFr0PACA0r82Jg7XOqUOmnUu/1srsJlLJuVxHmOy3BG8fecbunzooS23EcL +2Fp/ntMuQr7pK8VmzxvlOenPASXf+RW7puOV/chRpsq6cCNTUSQ4zr0Zr+3j9m21 +3l8EbVw4c+YQlFrwpdS+RYkH9cvRoqUcFQAMlmWGOvSJtFynH0FX56m1/Ay1ASTf +Zu7sn7U1c5auwOmIkVRboQaulDahRxkuXrd7cNP1c6/ggyIgXlTtG2/fpXPOIJ08 +iA1U9nYU8t7T8Xp9WlQjkSoYatJjQyRTfm2bbJWrQ8c4jdNyPCqQhmuZdh/YRdy3 +yFAbPoZMG8C+FxEfgJ/Q5ZQLCx5cXdndpIsXKf2+cMnlxDziuUM4Nz16CIAqvo59 +Q666G0t7e+fQ8IdvPfU30HPxQHfF3kmuqWUoW5jQOb1kwOGpozT3BEY6ELVIa7Mc +A+dLf9nIPTPlZ3F0GvySR1iuQYU0aWh54hb1TE4ogH5IhRjrEtbiyQm25sqPUBCK +1KGW6NciqHNXKksTldEjYeYyUz2BCN+LpisEqAfpMRKAvHnz9rTYmfd4HAMiJKgw +++U9EjbG7nDUxjaJ2ti5BhbH2RJCcI8BQM8P+S0SSVezwaEc9Ibd+41FfUHjplgk +dhVFyopvyCUAEQEAAbQycGhwTXlBZG1pbiBTZWN1cml0eSBUZWFtIDxzZWN1cml0 +eUBwaHBteWFkbWluLm5ldD6JAjcEEwEIACEFAlegoiICGwMFCwkIBwMFFQoJCAsF +FgIDAQACHgECF4AACgkQ2mirOSGKuUcFww/+MdyJg7NhzSkW3mNQy9yrZKHc3vmJ +o4wdGgv7EMvDbSXv4dn1WMz++DoN32auA8ol/MrCzFXa8iThsbf+Bp24YqA9XdF5 +veHXnsETG5toBRxcAe2vHSTP6BW10j5CzsCzDzwnP7MD2jILESdwvL5iyQjb3sUq +dk3iHEQV3C8hUYGnaiL4cBtCCBf4dpNwN/OVFQXuEf5u8otdgGci2cSulK74m/Re +5NcL1F/+Qcksj7nOxAWoEIP3lGSclTE1cnS95pR5GpTk23+dPWxUk7mHBl62K0fu +QUTIGouZpg2nEL8VCxieE4HNw6ueSDCSlSNCOqQKGq+14OdRtnPwlrXmGL+3dSWs +w8qJA+AUVtnKOuQ+w8ohJ5KuPssb/W52e/mIQ3F5O5JJH3V0F8lAY7Go4cG2zpHh +Wjscu6RDNkMtpP3MCGpBpg9yZmtMJ7eKRtjusJh8KzSokJ+lyryX3ZOEFKMcofkj +/0Z6o8FHj5cnI/eVUcT03J3OheKFHj5l78ZO4S9NPBP6RGr1b0zSGZKrWt+gZ91u +k0s7VeNvZq1yMsmt21FG6TkVPj+LKSMX/nZ7zhWaZ76eJ2eYpSEnszW+7MTws9rN +hKxb3jeKm7VuJk5Ygd3OFM0jvN9V0Q0S3wlbr9wfXiEg8AIqVwKtCkJWhqLqIZoT +ExGeJbK27IfmEGO5Ag0EV6CiIgEQAN2LmzsfU3fpRdH/P4ZmSmmC5wzQWYPS/Dob +ZJPpE+HSiymyyOholcZzV5wDfbnXBggXlKd4Ecqy7NaNGDHMxUPRu3pK0pcNcZC2 +QoopamKX0GiGuIovTWUGrY1r06Gc8zWKuAzbxc+vSgDRiWbu+fHdPT+jhUQJ+7If +IpT6fcHr0rARKI5b2xaa0erqfV/B+Qw+/uydw2o1e+9gAthnzd7pBWzpaGnc829P +U9+u3nhep7TTwvIkZI0gBzlhPQrDdjfc/ukJCOQ8JnlFCGRHWM0tbnthJ3FDGucZ +VQVfar+L3ia/V/++NRYOfL+hNOB8Rkj4YvTR7VgXJa3PKea8qgyGkOPHbeMpJ55w +vCyexGdOqQyLNqwCtXVD41nGIyWAqTu1LBpQn33vxQ6eEcLQ/mJm8adCXaVrcwiD +e1O+bYWrebmPEWxLh6vCZ8Odpa79gZ2tjBh1W0xacsaiWH0YbnNjeBX06M8cwELm +8KJJlpRic4hw4zEnszGQSdYO1jQ0A1fat+q4zekqFqhA04w6+bu91jYgLFs6PK/W +tquKnL8EHsuNa5/43hAQzxr4TeMse3VFqBXShgQFxjyGVSbR0KTPJKBb+rN7z0jl +H0cKW6BqXtOMkHMeqqBJB8d94DdgSyj15TB8a+3oxYH7fyTw19iyNhWiuvk7/Gpo +nAqhr2qNABEBAAGJAh8EGAEIAAkFAlegoiICGwwACgkQ2mirOSGKuUceaRAAowuk +DF7Nlnasozrh6AYlRNhrT/KQ0u38iuzxdftw8ONXRTQ1RiIwzQAQcRoFvN5yq1ft +9EgK3rTbEV9KSiMH5e1HGs1RTRMdmPPSh0507hiMjAvApOpJhDO0ODodNLzye4bt +ZrIrHh+nw/wlWBYX/DDl5vo8BUWyDTyA17Bt4P0za9WQKCez6QK01upM+h7fQKzz +JJFvuWH+rGxDS83Bes+QRMhtKYWqTB7MGwPUPswCc2dzq97914pR2+8fJhfmHzB1 +6KadYM+oe1/XlO4RzSo2cpBHss5WL12/b6CGrIS5FcjosLGbco0YzQGoRn/FLU/M +dINWyVVjHx6SK2RnM/p9k5RULeK0bYZCw2kU/TCjrh7WMbGf1qXBzb77mHBpzb6r +Hprtwt0+ztKFVF8kDTqh9NOx3eCRUJ0xVgu3anYdm857q6H/nED33wO1MesU6FqL +8G/5Uo243jCgtOtzmiyucxHNG1S/qyjF/0iz+m3oBa3+aL5S8a5im7hV235S7Nng +c6qZp/l+Rm4qIR2IPYA5R8G5OvdDmgkdpkV764prh0kjIUMF5RGr1UXyVpIxBwI3 +MN3RZjWrI6uO/+GyenlH3z4xGRynBnVLqukUy0Y175jsQDO0XZQpJeN8eNeGggbC +eBSXxBqkCxwoDujCb11Pxrgn0sKI8zAmokL1oFc= +=PdQl -----END PGP PUBLIC KEY BLOCK----- diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec index 04ce3f7..2361889 100644 --- a/phpMyAdmin.spec +++ b/phpMyAdmin.spec @@ -29,7 +29,7 @@ %define ap_grp nogroup %endif Name: phpMyAdmin -Version: 4.6.3 +Version: 4.6.4 Release: 0 Summary: Administration of MySQL over the web License: GPL-2.0+ @@ -52,6 +52,7 @@ BuildRequires: xz Requires: mod_php_any >= 5.5 Requires: php-bz2 Requires: php-gd +Requires: php-gettext Requires: php-iconv Requires: php-json Requires: php-mbstring