Accepting request 452522 from server:php:applications

udpate to 4.6.6, fix for boo#1021597, several security fixes (forwarded request 452521 from computersalat) OBS-URL: https://build.opensuse.org/request/show/452522 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/phpMyAdmin?expand=0&rev=133
2017-01-29 09:36:39 +00:00 · 2017-01-29 09:36:39 +00:00 · 22e9a87fef
commit 22e9a87fef
parent 3d0d52f21a 6cdaeec496
8 changed files with 101 additions and 42 deletions
--- a/phpMyAdmin-12757_sql_syntax_errror.patch
+++ b/phpMyAdmin-12757_sql_syntax_errror.patch
@ -1,12 +0,0 @@
-diff -Pdpru phpMyAdmin-4.6.5.2-all-languages.orig/libraries/server_privileges.lib.php phpMyAdmin-4.6.5.2-all-languages/libraries/server_privileges.lib.php
--- phpMyAdmin-4.6.5.2-all-languages.orig/libraries/server_privileges.lib.php	2016-12-05 23:36:28.000000000 +0100
-+++ phpMyAdmin-4.6.5.2-all-languages/libraries/server_privileges.lib.php	2017-01-19 18:37:00.016646510 +0100
-@@ -5237,7 +5237,7 @@ function PMA_getHashedPassword($password
-  */
- function PMA_checkIfMariaDBPwdCheckPluginActive()
- {
-    if (Util::getServerType() !== 'MariaDB') {
-+    if (!(Util::getServerType() == 'MariaDB' && PMA_MYSQL_INT_VERSION >= 100002)) {
-         return false;
-     }
- 
--- a/phpMyAdmin-4.6.5.2-all-languages.tar.xz
+++ b/phpMyAdmin-4.6.5.2-all-languages.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8cb549c0cd04ecaa3b2a8d9315e7c88528603fa6fe91057b13173f6afba80894
-size 6136880
--- a/phpMyAdmin-4.6.5.2-all-languages.tar.xz.asc
+++ b/phpMyAdmin-4.6.5.2-all-languages.tar.xz.asc
@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIcBAABAgAGBQJYRe46AAoJEM51LxeCWb2SnE0P/A3JOx05rxBghNn6KV+xDJJa
-1/RP3pvzpJSLnZTOeb5fxYkSmAkt3hfH9mU1M+gapvgcO4Fl8PL4IH2vZpQtKPUG
-b6rnI0ataUzElyRhpSkKJNk2UafNNJHe6jdiHkX/A+IBJRaNSvq84DFAb0gYXV2W
-G1fQ3il9a+uu5s15W+wUPKqIr5BbFo/J2Fl6Lrid6BW0lOI2Pya+enZcLEx5kow0
-EM66hRX4/nbQTQO1ldVlxSTLBjgNpvqtdDNK5OpW04e5sAGVUCfvacoqi+bna1dA
-UQkEfrbuIDwlaQAD3fWmED4jUVpw+fDhLpGhTJ23ZPk3ICENshBLYl+44w/vrBR0
-o1dcQnsomMWOlBfANndoUfZOGiEdy33ThNV70J0BBhwOFTfi5H/a0ZucHtJrSUHe
-zE6AtkK//FvNqB5ilk+O5F94hRy44aJXRpFaHkfu0vyg4GrnZHZFqODW7IzbIfxg
-GRNyOsQaxdJB3RjolxlBzudE8DUC7HvT6ULBH5W+AMCJdvke0uWtk03Te2m823Df
-sSvuLk13H8sB+1S5l/BWxTUK3aOQ5AYo1bxjAYFUQRs5JO+g0kUNWJK68fwKYSFM
-EgqP+sSlA62BRqQ9tt46BVILLBbvLdzgSJaCXFQIeDkrW20qFcHMsC66qWyyrign
-YercIbpv7UwKR5yz1r6m
-=mXi6
-----END PGP SIGNATURE-----
--- a/phpMyAdmin-4.6.6-all-languages.tar.xz
+++ b/phpMyAdmin-4.6.6-all-languages.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b7b9e0f88ca740fcba249e7e3e7d51d1923b038b7742cde72de193a2b0a2654f
+size 6147904
--- a/phpMyAdmin-4.6.6-all-languages.tar.xz.asc
+++ b/phpMyAdmin-4.6.6-all-languages.tar.xz.asc
@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABAgAGBQJYhlgLAAoJEM51LxeCWb2Sw0MP/AyCMPjYYiwJYR0kO1K3OZAf
+O23AvvpeS5a18vhzuSM3KYcZ6mFKxEUdt7gE+t26Mfzbmh2LnFt/TJeUUTxehhb6
+x4gpopWn9MacGhb2qVEq0HKNXdARlDKTHTvDaQqsNEsPsZgVA1TWoI02vBfZ2y2T
+di8Vrr9BJ8X2J3/UpQnmQTpbxeNrf/fbGG8BKiUUOZYV9zjAKi4WTC6H19XBWIRM
+hLVaO5y5sMLpWG42SuPDhrhGEhpzzBdTw34IBkVIG8jhora++0fxlSDobI4h5ZPt
+lS1voVgd77ktIsWMuLbiTyd1sVmJkty12dLRmbZe8x9AIyz8d0UIj3tgZmObCOtg
+CSbRo0VvlEs+83+C2LrypoTmhXogLnjHkJIsk020aENCzT22IJwzXhqRd4bZsscp
+E0q7JwSUtwKMXFkC8fsb0AqQvJgZu5Ibc9iYJVfZrajLMJKtjMUV4FOUnQRNYyMv
+9y75Ie0dW23A5zk60v0huI3wS+YifYko6GJhdU/VXIA59WWx6yu8eahHo2xAwbhr
+SIgGNXIm6b1f2m6/qUaxFesGGnaqFtFKDWBqQ6Udsb2WS/OsFcQMsse7l41niVrc
+oCjHESm/Y8IeK/BbVw9vzw4q5/pFkmo7vZWbvzu+kfQroOt6nLwsnBAsAGpKSS0S
+HjeOlIip+yt3FTOWt/sw
+=xT3I
+-----END PGP SIGNATURE-----
--- a/phpMyAdmin-config.patch
+++ b/phpMyAdmin-config.patch
@ -253,7 +253,7 @@ Index: libraries/vendor_config.php
 ===================================================================
 --- libraries/vendor_config.php.orig
 +++ libraries/vendor_config.php
-@@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) {
+@@ -17,25 +17,25 @@ if (! defined('PHPMYADMIN')) {
  * Path to changelog file, can be gzip compressed. Useful when you want to
  * have documentation somewhere else, eg. /usr/share/doc.
  */
@ -268,14 +268,13 @@ Index: libraries/vendor_config.php
 +define('LICENSE_FILE', '@docdir@/LICENSE');
 
 /**
-  * Path to config file generated using setup script.
+  * Directory where SQL scripts to create/upgrade configuration storage reside.
  */
-define('SETUP_CONFIG_FILE', './config/config.inc.php');
-+define('SETUP_CONFIG_FILE', '@sysconfdir@/config.inc.php');
+-define('SQL_DIR', './sql/');
+define('SQL_DIR', '@docdir@/sql/');
 
 /**
-  * Whether setup requires writable directory where config
-@@ -46,7 +46,7 @@ define('SQL_DIR', './sql/');
+  * Directory where configuration files are stored.
  * It is not used directly in code, just a convenient
  * define used further in this file.
  */
--- a/phpMyAdmin.changes
+++ b/phpMyAdmin.changes
@ -1,3 +1,78 @@
+-------------------------------------------------------------------
+Wed Jan 25 22:12:33 UTC 2017 - chris@computersalat.de
+
+- 4.6.6 (2017-01-23)
+  * gh#12759 Fix Notice regarding 'Undefined index: old_usergroup'
+  * gh#12760 Fix Notice regarding 'Undefined index: users'
+  * gh#12762 Fixed parsing of SQL with BINARY function
+  * gh#12588 ReCaptcha now works without allow_url_fopen
+  * gh#12699 Show no local storage warning only on settings tab
+  * gh#12778 Syntax Error in Adding/Changing TIMESTAMP columns with
+    default value as NULL
+  * gh#12769 Edit/Export links are not clickable under Routines tab
+  * gh#12757 Fixed creating new user with older MariaDB
+  * gh#12784 Remove ctype installation suggestion
+  * gh#12780 Format button replaces all text with blank spaces
+  * gh#12786 Fixed database searching
+  * gh#12792 Fixed javascript error on new version link
+  * gh#12785 Add information about required and suggested extensions
+    to composer.json
+  * gh#12801 Custom header shown twice with cookie login form
+  * gh#12802 Custom footer not shown with auth_type http login failure
+  * gh#12434 Improve documentation for servers running with Suhosin
+  * gh#12800 Updated embedded phpSecLib to 2.0.4
+  * gh#12800 Fixed various issues with PHP 7.1
+  * gh#11816 Fixed operation with lower_case_table_names=2
+  * gh#12813 Fixed stored procedure execution
+  * gh#12826 Honor user configured connection collation
+  * gh#12293 Correctly report OpenSSL errors from cookie encryption
+  * gh#12814 DateTime won't allow to input length in Routine editor
+  * gh#12840 Fix Notice regarding 'Undefined index: row_format' when
+    altering table options
+  * gh#12841 Fixed moving of columns with whitespace in name
+  * gh#12847 Fixed editing of virtual columns
+  * gh#12859 Changed WHERE condition to 0 instead of 1 for SQL query
+    window to avoid accidents
+  * gh#12872 Use same query for display and execution when dropping
+    index
+  * gh#12868 Fix check for user groups freatures being enabled
+  * gh#12876 Fix notices and warning related to dbs_to_test global
+  * gh#12831 Fix table formatting on Insert tab, which mostly
+    affected row highlighting
+  * gh#12495 Reintroduced phpinfo page with limited capabilities
+  * gh#12861 Fix renaming tables with lower_case_table_names=2
+  * gh#12876 Fix possible PHP error in navigation
+  * gh#12881 Fix database search with newer php-gettext
+  * gh#12894 Fix linter error on unterminated variable name
+  * gh#12732 Fixed filtering for active processes
+- fix for boo#1021597
+  * PMASA-2016-44 (CVE-2016-6621, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-44/
+    - Multiple vulnerabilities in setup script
+  * PMASA-2017-1 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-1/
+    - Open redirect
+  * PMASA-2017-2 ( CVE-2015-8980, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-2/
+    - php-gettext code execution
+  * PMASA-2017-3 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-3/
+    - DOS vulnerabiltiy in table editing
+  * PMASA-2017-4 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-4/
+    - CSS injection in themes
+  * PMASA-2017-5 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-5/
+    - Cookie attribute injection attack
+  * PMASA-2017-6 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-6/
+    - SSRF in replication
+  * PMASA-2017-7 ( CVE-Nya, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2017-7/
+    - DOS in replication status
+- remove obsolete phpMyAdmin-12757_sql_syntax_errror.patch
+- rework phpMyAdmin-config.patch
+
 -------------------------------------------------------------------
 Thu Jan 19 17:42:49 UTC 2017 - ecsos@opensuse.org

--- a/phpMyAdmin.spec
+++ b/phpMyAdmin.spec
@ -29,7 +29,7 @@
 %define ap_grp nogroup
 %endif
 Name:           phpMyAdmin
-Version:        4.6.5.2
+Version:        4.6.6
 Release:        0
 Summary:        Administration of MySQL over the web
 License:        GPL-2.0+
@ -45,8 +45,6 @@ Source100:      %{name}-rpmlintrc
 Patch0:         %{name}-config.patch
 # Fix-SUSE: auto config for pma storage
 Patch1:         %{name}-pma.patch
-# Fix-SUSE: Fix #12757 SQL syntax errror on MariaDB < 10.0.2 in check for mysql password check plugin
-Patch2:         %{name}-12757_sql_syntax_errror.patch
 BuildRequires:  apache2-devel
 BuildRequires:  python-devel
 BuildRequires:  xz
@ -117,7 +115,6 @@ Currently phpMyAdmin can:
 perl -p -i -e 's|\r\n|\n|' examples/config.manyhosts.inc.php
 %patch0
 %patch1
-%patch2 -p1

 # rpmlint: fix incorrect-fsf-address
 find . -type f | xargs sed -i -e 's:59 Temple Place\, Suite 330\, Boston\, MA  02111-1307  USA:51 Franklin Street\, Fifth Floor\, Boston\, MA 02110-1301 USA:g'