Accepting request 419987 from server:php:applications

update to 4.6.4, fix for boo#994313 (forwarded request 419986 from computersalat)

OBS-URL: https://build.opensuse.org/request/show/419987
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/phpMyAdmin?expand=0&rev=127
This commit is contained in:
Dominique Leuenberger 2016-08-22 08:07:11 +00:00 committed by Git OBS Bridge
commit 195c46916d
9 changed files with 188 additions and 27 deletions

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:943bad38a95f21bb015bdb78c9c067e0ea7510c1b35d4b8e757cb89c413e3bac
size 6111852

View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJXa2bfAAoJEM51LxeCWb2SjXkP/jvbhg55etnApcymsTWy72Ho
7BVvVlRmNdCISs8S2yuh8D417B9WDUGh4YLVu8gv+W0gd+/wUMY1D+WKmAgPJOBh
+Kb+gOMJ9YpGVdCSRpIvtQCyZPxGOAOPM552VfU5+seVOB9InxJAI2jKqVeVDp3Z
j4dQVsp8BRVe3Fe/s2d85L+KaNaQefjehiOhNsIJ2II6mKPHgIECtFkKSBxqoiyx
QpaucMiC6Oivuv3ucGuWc0wfDRbBeSl9zec3t2guikP0rPQORnAxs/xpUGASWmje
Rki8QBcDxePDH62VGRV7Zf0dJfeekZON/aXY/DX3oeAoePACisjyslFZk1S2+yuN
+4NDpRm7Wlq8ZFtlqD5JWfjf+JVj2pAHwKidDDH2Mv+kLTExRefIjFLxGnHU6hVv
Ee8jenDNJpy//JEwRInM3gi63CK0PTJMWAqVQ2OYb3PS9ic/yELQ3amlvnOHfCUF
+e7b3+HWzonV9MkAwkQhAwtmuXNo5/ykwKLCLc0cWGuUI8iAsGdOSKVFFI6WBQL9
6JepwARr5Ej8Ah/0LI691EKoR3OWEXvRxD2wrZHqlpBQvN0vuy5+/2ZWz17JiYXE
oYoAuE81B4T3k/epy30gR1qThysRyEYMSZ3ekbwLAZDKeeUovBmLq1Fn6TKJfDYe
InisFtPxTLTWY5WuGYXV
=+16s
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f2ea32a2971efcab073ad41b6512475af1b6da70cf800a5586a12cf49797d319
size 6137016

View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJXs39QAAoJEM51LxeCWb2SSBwP/0HKUrPc0D0fLydNQYUPHJpO
nyf7qeEqdYuTezYVbamJePUSY5gCNMGTDh3RFZ9C0WrWqPnGNKX170Hjb4Hl00id
+bxVtn61sR+Fx0S1kZlgg1cVk60xrzKXTluh/3A+fYSv3rCjhjKgMODPNIF3nnjN
ev5UKHrD93laaF9j+y6eKnliW/NAWWdENbHFJVA4LCGCJrBKtLGukGKMuYmuAs9o
QJBtiBkxkUfKKGc/FE6Nr5Y+Pxd7FXl3DT/uGo0PRofrQYwA8TlQ7EWzY+LVxG89
pPwUc8JEutZALB4x50DLh8Sld4IR88O5khZE6Lc1v/HLyPle9wA5+FYQ7lUYpfIt
ZH1RrEiEljWLiuoOeiohA23wjAkGkjwfycNRh3iXPVnCFtXjsmyK+CuxTPbP+Zxg
AwYnIE2G6QX5R3kAATqce4h7I4ufv6/zIIVe/UgzgBDOeZ75iXZNyiMvwePuWH+r
7aCd5C/yl1wZba9gGhUumKXY7/FGfbNN71PeoRrRy/hr+0Q8VOhMCAkw89eGGp+p
p6bFP22pzNacStVSGnFi4fuSNKIcNXoyKBR8TsTOEhdMghi0Sa/SU+8jrtEaxLr9
OmzxNuGE9PVyRMz/5Yf63gokM6oAHzOo87qg2mXOVy0FDPNQqMRKxdkYDWMHJyxc
GYHrXIizpGQIR+Ih9/x2
=lR6c
-----END PGP SIGNATURE-----

View File

@ -45,7 +45,7 @@ Index: config.sample.inc.php
+ +
+/** +/**
* This is needed for cookie based authentication to encrypt password in * This is needed for cookie based authentication to encrypt password in
* cookie * cookie. Needs to be 32 chars long.
+ * + *
+ * YOU MUST FILL IN THIS FOR COOKIE AUTH! + * YOU MUST FILL IN THIS FOR COOKIE AUTH!
*/ */
@ -60,7 +60,7 @@ Index: config.sample.inc.php
*/ */
$i = 0; $i = 0;
@@ -25,47 +68,155 @@ $i = 0; @@ -25,45 +68,155 @@ $i = 0;
* First server * First server
*/ */
$i++; $i++;
@ -127,8 +127,6 @@ Index: config.sample.inc.php
-// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns'; -// $cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
-// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings'; -// $cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
-// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
-/* Contrib / Swekey authentication */
-// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
+$cfg['Servers'][$i]['controlhost'] = 'localhost'; +$cfg['Servers'][$i]['controlhost'] = 'localhost';
+$cfg['Servers'][$i]['controlport'] = ''; +$cfg['Servers'][$i]['controlport'] = '';
+/* +/*

View File

@ -13,3 +13,15 @@ Index: sql/create_tables.sql
-- -------------------------------------------------------- -- --------------------------------------------------------
Index: config.sample.inc.php
===================================================================
--- config.sample.inc.php.orig
+++ config.sample.inc.php
@@ -202,7 +202,6 @@ $cfg['Servers'][$i]['savedsearches']
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
-$cfg['Servers'][$i]['auth_swekey_config'] = '';
*/
/**

View File

@ -1,3 +1,107 @@
-------------------------------------------------------------------
Thu Aug 18 13:31:57 UTC 2016 - chris@computersalat.de
- 4.6.4 (2016-08-16)
- securitiy fixes
* Improve session cookie code for openid.php and signon.php example
files
* Full path disclosure in openid.php and signon.php example files
* Unsafe generation of BlowfishSecret (when not supplied by the user)
* Referrer leak when phpinfo is enabled
* Use HTTPS for wiki links
* Improve SSL certificate handling
* Fix full path disclosure in debugging code
* Administrators could trigger SQL injection attack against users
- other fixes
* Remove Swekey support
* Include X-Robots-Tag header in responses
* Enforce numeric field length when creating table
* Fixed invalid Content-Length in some HTTP responses
* gh#12394 Create view should require a view name
* gh#12391 Message with 'Change password successfully' displayed,
but does not take effect
* Tighten control on PHP sessions and session cookies
* gh#12409 Re-enable overhead on server databases view
* gh#12414 Fixed rendering of Original theme
* gh#12413 Fixed deleting users in non English locales
* gh#12416 Fixed replication status output in Databases listing
* gh#12303 Avoid typecasting to float when not needed
* gh#12425 Duplicate message variable names in messages.inc.php
* gh#12399 Adding index to table shows wrong top navigation
* gh#12424 Fixed password change on MariaDB without auth plugin
* gh#12339 Do not error on unset server port
* gh#12422 Improvements to the original theme
* gh#12395 Do not try to load old transformation plugins
* gh#12423 Fixed replication status in database listing
* gh#12433 Copy table with prefix does not copy the indexes
* gh#12375 Search in database: Window content is not scrolling down
when clicking first time on Browse link
* gh#12346 SQL Editor textareas can have their size increased from
the top, distorting the page view
- fix for boo#994313
https://www.phpmyadmin.net/security/
* Weaknesses with cookie encryption
see PMASA-2016-29 (CVE-2016-6606, CWE-661)
* Multiple XSS vulnerabilities
see PMASA-2016-30 (CVE-2016-6607, CWE-661)
* Multiple XSS vulnerabilities
see PMASA-2016-31 (CVE-2016-6608, CWE-661)
* PHP code injection
see PMASA-2016-32 (CVE-2016-6609, CWE-661)
* Full path disclosure
see PMASA-2016-33 (CVE-2016-6610, CWE-661)
* SQL injection attack
see PMASA-2016-34 (CVE-2016-6611, CWE-661)
* Local file exposure through LOAD DATA LOCAL INFILE
see PMASA-2016-35 (CVE-2016-6612, CWE-661)
* Local file exposure through symlinks with UploadDir
see PMASA-2016-36 (CVE-2016-6613, CWE-661)
* Path traversal with SaveDir and UploadDir
see PMASA-2016-37 (CVE-2016-6614, CWE-661)
* Multiple XSS vulnerabilities
see PMASA-2016-38 (CVE-2016-6615, CWE-661)
* SQL injection vulnerability as control user
see PMASA-2016-39 (CVE-2016-6616, CWE-661)
* SQL injection vulnerability
see PMASA-2016-40 (CVE-2016-6617, CWE-661)
* Denial-of-service attack through transformation feature
see PMASA-2016-41 (CVE-2016-6618, CWE-661)
* SQL injection vulnerability as control user
see PMASA-2016-42 (CVE-2016-6619, CWE-661)
* Verify data before unserializing
see PMASA-2016-43 (CVE-2016-6620, CWE-661)
* SSRF in setup script
see PMASA-2016-44 (CVE-2016-6621, CWE-661)
* Denial-of-service attack with
$cfg['AllowArbitraryServer'] = true and persistent connections
see PMASA-2016-45 (CVE-2016-6622, CWE-661)
* Denial-of-service attack by using for loops
see PMASA-2016-46 (CVE-2016-6623, CWE-661)
* Possible circumvention of IP-based allow/deny rules with IPv6 and
proxy server
see PMASA-2016-47 (CVE-2016-6624, CWE-661)
* Detect if user is logged in
see PMASA-2016-48 (CVE-2016-6625, CWE-661)
* Bypass URL redirection protection
see PMASA-2016-49 (CVE-2016-6626, CWE-661)
* Referrer leak
see PMASA-2016-50 (CVE-2016-6627, CWE-661)
* Reflected File Download
see PMASA-2016-51 (CVE-2016-6628, CWE-661)
* ArbitraryServerRegexp bypass
see PMASA-2016-52 (CVE-2016-6629, CWE-661)
* Denial-of-service attack by entering long password
see PMASA-2016-53 (CVE-2016-6630, CWE-661)
* Remote code execution vulnerability when running as CGI
see PMASA-2016-54 (CVE-2016-6631, CWE-661)
* Denial-of-service attack when PHP uses dbase extension
see PMASA-2016-55 (CVE-2016-6632, CWE-661)
* Remove tode execution vulnerability when PHP uses dbase extension
see PMASA-2016-56 (CVE-2016-6633, CWE-661)
- fix deps
* add missing php-gettext
- rebase phpMyAdmin-config.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jun 23 12:10:01 UTC 2016 - chris@computersalat.de Thu Jun 23 12:10:01 UTC 2016 - chris@computersalat.de

View File

@ -479,6 +479,52 @@ pvy4/CS81cG0yI0NjDLAIbe3Lxoycn7ci4Ce+69XU5sdUa9upoyqzkMgZt8VkBtK
nuNOb0hz/9EA42nix1i+nNM9tLJeSk6xuU5iBmILJECR9Ku12BFrn+IVdD5eElh/ nuNOb0hz/9EA42nix1i+nNM9tLJeSk6xuU5iBmILJECR9Ku12BFrn+IVdD5eElh/
3E7gABPIVgtr+XfPKf4rkK2G0C8rap+SlSsV6yl4ERtjPuHKPfPNtPnEIOSb2Vjr 3E7gABPIVgtr+XfPKf4rkK2G0C8rap+SlSsV6yl4ERtjPuHKPfPNtPnEIOSb2Vjr
kca1ZiPiutsGnQFyjEks7cMYc09UMRa7G3wejSU4pR7HrrgvNk0egcO/zh/Sew59 kca1ZiPiutsGnQFyjEks7cMYc09UMRa7G3wejSU4pR7HrrgvNk0egcO/zh/Sew59
gdi0WntFEdmqB431mw== gdi0WntFEdmqB431m5kCDQRXoKIiARAAzBwbBui7mxdMbRUNKi7zQvEUo3iflJp+
=sUWP YcIDXaFr0PACA0r82Jg7XOqUOmnUu/1srsJlLJuVxHmOy3BG8fecbunzooS23EcL
2Fp/ntMuQr7pK8VmzxvlOenPASXf+RW7puOV/chRpsq6cCNTUSQ4zr0Zr+3j9m21
3l8EbVw4c+YQlFrwpdS+RYkH9cvRoqUcFQAMlmWGOvSJtFynH0FX56m1/Ay1ASTf
Zu7sn7U1c5auwOmIkVRboQaulDahRxkuXrd7cNP1c6/ggyIgXlTtG2/fpXPOIJ08
iA1U9nYU8t7T8Xp9WlQjkSoYatJjQyRTfm2bbJWrQ8c4jdNyPCqQhmuZdh/YRdy3
yFAbPoZMG8C+FxEfgJ/Q5ZQLCx5cXdndpIsXKf2+cMnlxDziuUM4Nz16CIAqvo59
Q666G0t7e+fQ8IdvPfU30HPxQHfF3kmuqWUoW5jQOb1kwOGpozT3BEY6ELVIa7Mc
A+dLf9nIPTPlZ3F0GvySR1iuQYU0aWh54hb1TE4ogH5IhRjrEtbiyQm25sqPUBCK
1KGW6NciqHNXKksTldEjYeYyUz2BCN+LpisEqAfpMRKAvHnz9rTYmfd4HAMiJKgw
++U9EjbG7nDUxjaJ2ti5BhbH2RJCcI8BQM8P+S0SSVezwaEc9Ibd+41FfUHjplgk
dhVFyopvyCUAEQEAAbQycGhwTXlBZG1pbiBTZWN1cml0eSBUZWFtIDxzZWN1cml0
eUBwaHBteWFkbWluLm5ldD6JAjcEEwEIACEFAlegoiICGwMFCwkIBwMFFQoJCAsF
FgIDAQACHgECF4AACgkQ2mirOSGKuUcFww/+MdyJg7NhzSkW3mNQy9yrZKHc3vmJ
o4wdGgv7EMvDbSXv4dn1WMz++DoN32auA8ol/MrCzFXa8iThsbf+Bp24YqA9XdF5
veHXnsETG5toBRxcAe2vHSTP6BW10j5CzsCzDzwnP7MD2jILESdwvL5iyQjb3sUq
dk3iHEQV3C8hUYGnaiL4cBtCCBf4dpNwN/OVFQXuEf5u8otdgGci2cSulK74m/Re
5NcL1F/+Qcksj7nOxAWoEIP3lGSclTE1cnS95pR5GpTk23+dPWxUk7mHBl62K0fu
QUTIGouZpg2nEL8VCxieE4HNw6ueSDCSlSNCOqQKGq+14OdRtnPwlrXmGL+3dSWs
w8qJA+AUVtnKOuQ+w8ohJ5KuPssb/W52e/mIQ3F5O5JJH3V0F8lAY7Go4cG2zpHh
Wjscu6RDNkMtpP3MCGpBpg9yZmtMJ7eKRtjusJh8KzSokJ+lyryX3ZOEFKMcofkj
/0Z6o8FHj5cnI/eVUcT03J3OheKFHj5l78ZO4S9NPBP6RGr1b0zSGZKrWt+gZ91u
k0s7VeNvZq1yMsmt21FG6TkVPj+LKSMX/nZ7zhWaZ76eJ2eYpSEnszW+7MTws9rN
hKxb3jeKm7VuJk5Ygd3OFM0jvN9V0Q0S3wlbr9wfXiEg8AIqVwKtCkJWhqLqIZoT
ExGeJbK27IfmEGO5Ag0EV6CiIgEQAN2LmzsfU3fpRdH/P4ZmSmmC5wzQWYPS/Dob
ZJPpE+HSiymyyOholcZzV5wDfbnXBggXlKd4Ecqy7NaNGDHMxUPRu3pK0pcNcZC2
QoopamKX0GiGuIovTWUGrY1r06Gc8zWKuAzbxc+vSgDRiWbu+fHdPT+jhUQJ+7If
IpT6fcHr0rARKI5b2xaa0erqfV/B+Qw+/uydw2o1e+9gAthnzd7pBWzpaGnc829P
U9+u3nhep7TTwvIkZI0gBzlhPQrDdjfc/ukJCOQ8JnlFCGRHWM0tbnthJ3FDGucZ
VQVfar+L3ia/V/++NRYOfL+hNOB8Rkj4YvTR7VgXJa3PKea8qgyGkOPHbeMpJ55w
vCyexGdOqQyLNqwCtXVD41nGIyWAqTu1LBpQn33vxQ6eEcLQ/mJm8adCXaVrcwiD
e1O+bYWrebmPEWxLh6vCZ8Odpa79gZ2tjBh1W0xacsaiWH0YbnNjeBX06M8cwELm
8KJJlpRic4hw4zEnszGQSdYO1jQ0A1fat+q4zekqFqhA04w6+bu91jYgLFs6PK/W
tquKnL8EHsuNa5/43hAQzxr4TeMse3VFqBXShgQFxjyGVSbR0KTPJKBb+rN7z0jl
H0cKW6BqXtOMkHMeqqBJB8d94DdgSyj15TB8a+3oxYH7fyTw19iyNhWiuvk7/Gpo
nAqhr2qNABEBAAGJAh8EGAEIAAkFAlegoiICGwwACgkQ2mirOSGKuUceaRAAowuk
DF7Nlnasozrh6AYlRNhrT/KQ0u38iuzxdftw8ONXRTQ1RiIwzQAQcRoFvN5yq1ft
9EgK3rTbEV9KSiMH5e1HGs1RTRMdmPPSh0507hiMjAvApOpJhDO0ODodNLzye4bt
ZrIrHh+nw/wlWBYX/DDl5vo8BUWyDTyA17Bt4P0za9WQKCez6QK01upM+h7fQKzz
JJFvuWH+rGxDS83Bes+QRMhtKYWqTB7MGwPUPswCc2dzq97914pR2+8fJhfmHzB1
6KadYM+oe1/XlO4RzSo2cpBHss5WL12/b6CGrIS5FcjosLGbco0YzQGoRn/FLU/M
dINWyVVjHx6SK2RnM/p9k5RULeK0bYZCw2kU/TCjrh7WMbGf1qXBzb77mHBpzb6r
Hprtwt0+ztKFVF8kDTqh9NOx3eCRUJ0xVgu3anYdm857q6H/nED33wO1MesU6FqL
8G/5Uo243jCgtOtzmiyucxHNG1S/qyjF/0iz+m3oBa3+aL5S8a5im7hV235S7Nng
c6qZp/l+Rm4qIR2IPYA5R8G5OvdDmgkdpkV764prh0kjIUMF5RGr1UXyVpIxBwI3
MN3RZjWrI6uO/+GyenlH3z4xGRynBnVLqukUy0Y175jsQDO0XZQpJeN8eNeGggbC
eBSXxBqkCxwoDujCb11Pxrgn0sKI8zAmokL1oFc=
=PdQl
-----END PGP PUBLIC KEY BLOCK----- -----END PGP PUBLIC KEY BLOCK-----

View File

@ -29,7 +29,7 @@
%define ap_grp nogroup %define ap_grp nogroup
%endif %endif
Name: phpMyAdmin Name: phpMyAdmin
Version: 4.6.3 Version: 4.6.4
Release: 0 Release: 0
Summary: Administration of MySQL over the web Summary: Administration of MySQL over the web
License: GPL-2.0+ License: GPL-2.0+
@ -52,6 +52,7 @@ BuildRequires: xz
Requires: mod_php_any >= 5.5 Requires: mod_php_any >= 5.5
Requires: php-bz2 Requires: php-bz2
Requires: php-gd Requires: php-gd
Requires: php-gettext
Requires: php-iconv Requires: php-iconv
Requires: php-json Requires: php-json
Requires: php-mbstring Requires: php-mbstring