From fdcead68a0a6d7c29c7dccf05150fa0d0b710930d7b1a9c84dff55bc9b3d91ba Mon Sep 17 00:00:00 2001 From: Eric Schirra Date: Sat, 28 May 2016 09:01:58 +0000 Subject: [PATCH 1/3] Accepting request 398442 from home:ecsos:server update to 4.6.2 Also include: - Security fixes: + * PMASA-2016-14 (CVE-2016-5097, CWE-661) + https://www.phpmyadmin.net/security/PMASA-2016-14/ + - User SQL queries can be revealed through URL GET parameters, + see PMASA-2016-14 + * PMASA-2016-16 (CVE-2016-5099, CWE-661) + https://www.phpmyadmin.net/security/PMASA-2016-16/ + - Self XSS vulneratbility, see PMASA-2016-16 OBS-URL: https://build.opensuse.org/request/show/398442 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=258 --- phpMyAdmin-4.6.1-all-languages.tar.xz | 3 -- phpMyAdmin-4.6.1-all-languages.tar.xz.asc | 17 ------ phpMyAdmin-4.6.2-all-languages.tar.xz | 3 ++ phpMyAdmin-4.6.2-all-languages.tar.xz.asc | 17 ++++++ phpMyAdmin-config.patch | 64 ++++++----------------- phpMyAdmin.changes | 33 ++++++++++++ phpMyAdmin.spec | 6 +-- 7 files changed, 73 insertions(+), 70 deletions(-) delete mode 100644 phpMyAdmin-4.6.1-all-languages.tar.xz delete mode 100644 phpMyAdmin-4.6.1-all-languages.tar.xz.asc create mode 100644 phpMyAdmin-4.6.2-all-languages.tar.xz create mode 100644 phpMyAdmin-4.6.2-all-languages.tar.xz.asc diff --git a/phpMyAdmin-4.6.1-all-languages.tar.xz b/phpMyAdmin-4.6.1-all-languages.tar.xz deleted file mode 100644 index 5484a78..0000000 --- a/phpMyAdmin-4.6.1-all-languages.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:cc85edc5b71bacf6fead0ffaecbd5395fa31fd7bfd6b4a9b12720baa7e715b66 -size 6109268 diff --git a/phpMyAdmin-4.6.1-all-languages.tar.xz.asc b/phpMyAdmin-4.6.1-all-languages.tar.xz.asc deleted file mode 100644 index 65629f8..0000000 --- a/phpMyAdmin-4.6.1-all-languages.tar.xz.asc +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iQIcBAABAgAGBQJXJ8YFAAoJEM51LxeCWb2SnlMQALvBPcVpGtGtkD/akvRj/Ydq -MB9DLrpAmTOMAmh/dgBsEmcDDdH8lndim2eJ06H5rfkTCFNKLFsg7oMEIMJ8NMUT -1+qNQoGPjOhZxDC3XylfzGgGY06/ZC8h8uMV5wXQEc43RZqSjfUrU+epMwllwJg/ -2E3MD9HvZro+sZblJtnoPGtrKX0qWNwLmWx44g6j/fySAjco+d5dAsqATmEponwu -E9yKklU5zsXASEvp9DEj7RDuv35i8Faz1NUq8MLxVaPuLfB9ySb9vXGOVTwauTfo -Kj5eb87kERsoQeZ+vtOxYY19nEma6D8cYdUOqEdd3P7b7EnbVvxmcVtD9/nOPZm0 -IIhBU6jg0wkk0HgYFjp+FUGZhODiodJDpwrWOexuUpnWMcsQnYP4BxWu9OGmsoR/ -9QxLa5jRlPE5gUr/oLcT85QTHmTWfGC94cJqp1z0S5uOBrrUR4YhvOLfEXEGSKib -xISEWzFthgZNAS+kbZ0TyIknn9agBknOM8H1Crcue7A0hyWEN/r0M2OPTezMpRGd -Uc5NXutMGNjCLEYupymrpJ5qokSsD5JFdRFcbFF9nQ136tKk/jbrI9CLgCfAHEon -Tfwl/023JnA8Ja8FFkQ8Ux1RtJtTr8J62JY9/DP8ke3z43cgqUYJUZqF/NAPZG/w -4/k/rBrL9QMW+Fbv5hsd -=EsaU ------END PGP SIGNATURE----- diff --git a/phpMyAdmin-4.6.2-all-languages.tar.xz b/phpMyAdmin-4.6.2-all-languages.tar.xz new file mode 100644 index 0000000..7ab9532 --- /dev/null +++ b/phpMyAdmin-4.6.2-all-languages.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:2ae6f6f0e8697b5ab5d0334bb16fa59da9143dce0d4576e6370ef54f7ad28872 +size 6128060 diff --git a/phpMyAdmin-4.6.2-all-languages.tar.xz.asc b/phpMyAdmin-4.6.2-all-languages.tar.xz.asc new file mode 100644 index 0000000..e6c9278 --- /dev/null +++ b/phpMyAdmin-4.6.2-all-languages.tar.xz.asc @@ -0,0 +1,17 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iQIcBAABAgAGBQJXRdzsAAoJEM51LxeCWb2S6twP/RgEIqZLTb6owbFcluemz7Ca +IPIjJAar09RAItb26AaASYEl4Hte9pTnGbXhF8Kob8uPRR28Zsv+WKjMa1TS3shx +K05OXqe7lH49a0nCL1Ytcb7AhXr/vSOaoRGP8Y8HrzK9wnD6GdNf/2O9Ms9CKtvt +4SJx0LyqRoW0jrqXUUzJ1vMNWuOehtPZm5eb5HnuvRWpg7hUBUaU8X+5jywuzDkT +ueduW9plpuNtODZaYF0Awd2uyLgkaUM7BtC0wGB2B4BE4ywUTIVoq0XJhAhVyDqX +f+xK/ynKSot3S5Hi5Ba/ZAINQ+4ckMQTBho2gA23poX6ieQXhogZAQKwgcoInsFz +09E93crz6oInuUCKPvpmbCkJ1liIz340RETPsz6RF8nR4sNevzE/4kU6jPAlTljZ +6JMArTE1T5rU7CZDEncqdNVZBbhCTK0aBJI9pVX/z8Fl+qUR9wNececfkBROaDyU +1EmMEtFLgvI69OiCf1i6Zs/7N92WPNEuBq67SO57d4ddIG3jw46pXD5UiPhVWdw3 +jiP1FkTuO5rv3UJ8Csp2AGx1Mz9KejxxL+x/qkes8+Trmvtzy01yuUHaUWTxf3vO +aZiWWtNPUYxwliNpN1O02FMtao1PczywXPdrUURLAIE0YJfnacyFRsVxBWOdJQLy +Yap2geqJTeLyvjHDO/2b +=EcxN +-----END PGP SIGNATURE----- diff --git a/phpMyAdmin-config.patch b/phpMyAdmin-config.patch index a66b387..effa137 100644 --- a/phpMyAdmin-config.patch +++ b/phpMyAdmin-config.patch @@ -1,30 +1,10 @@ -Index: config.sample.inc.php -=================================================================== ---- config.sample.inc.php.orig -+++ config.sample.inc.php -@@ -11,13 +11,76 @@ +diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin-4.6.2-all-languages/config.sample.inc.php +--- phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php 2016-05-25 19:07:44.000000000 +0200 ++++ phpMyAdmin-4.6.2-all-languages/config.sample.inc.php 2016-05-28 10:30:30.138092225 +0200 +@@ -11,13 +11,56 @@ */ /** -+ * Your phpMyAdmin url -+ * -+ * Complete the variable below with the full url ie -+ * https://www.your_web.net/path_to_your_phpMyAdmin_directory/ -+ * -+ * It must contain characters that are valid for a URL, and the path is -+ * case sensitive on some Web servers, for example Unix-based servers. -+ * -+ * In most cases you can leave this variable empty, as the correct value -+ * will be detected automatically. However, we recommend that you do -+ * test to see that the auto-detection code works in your system. A good -+ * test is to browse a table, then edit a row and save it. There will be -+ * an error message if phpMyAdmin cannot auto-detect the correct value. -+ * -+ * Default: '' -+ */ -+/* $cfg['PmaAbsoluteUri'] = ''; -+ -+/** + * Disable the default warning that is displayed on the DB Details Structure + * page if any of the required Tables for the relationfeatures could not be + * found @@ -61,7 +41,7 @@ Index: config.sample.inc.php + * Default: en + */ +/* $cfg['DefaultLang'] = 'de'; -+ ++ +/** * This is needed for cookie based authentication to encrypt password in * cookie @@ -70,17 +50,16 @@ Index: config.sample.inc.php */ -$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ +$cfg['blowfish_secret'] = ''; -+ /** * Servers configuration + * + * for more info/explanation about these VARS have look at -+ * libraries/config.default.php ++ * libraries/config.default.php */ $i = 0; -@@ -25,47 +88,158 @@ $i = 0; +@@ -25,47 +68,155 @@ $i = 0; * First server */ $i++; @@ -112,7 +91,6 @@ Index: config.sample.inc.php +$cfg['Servers'][$i]['verbose_check'] = true; +$cfg['Servers'][$i]['AllowDeny']['order'] = ''; +$cfg['Servers'][$i]['AllowDeny']['rules'] = array(); -+ /** * phpMyAdmin configuration storage settings. @@ -121,19 +99,18 @@ Index: config.sample.inc.php + * libraries/config.default.php */ --/* User used to manipulate with storage */ + /* User used to manipulate with storage */ -// $cfg['Servers'][$i]['controlhost'] = ''; -// $cfg['Servers'][$i]['controlport'] = ''; -// $cfg['Servers'][$i]['controluser'] = 'pma'; -// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; -+$cfg['Servers'][$i]['controlhost'] = 'localhost'; -+$cfg['Servers'][$i]['controlport'] = ''; -+/* -+$cfg['Servers'][$i]['controluser'] = 'pma'; -+$cfg['Servers'][$i]['controlpass'] = 'pmapass'; -+ ++$cfg['Servers'][$i]['controlhost'] = 'localhost'; ++$cfg['Servers'][$i]['controlport'] = ''; ++/* ++$cfg['Servers'][$i]['controluser'] = 'pma'; ++$cfg['Servers'][$i]['controlpass'] = 'pmapass'; - /* Storage database and tables */ +-/* Storage database and tables */ -// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; -// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; -// $cfg['Servers'][$i]['relation'] = 'pma__relation'; @@ -156,7 +133,6 @@ Index: config.sample.inc.php -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; -/* Contrib / Swekey authentication */ -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; -+ +/** + * The name of the database containing the phpMyAdmin configuration storage. + * @@ -273,15 +249,9 @@ Index: config.sample.inc.php /** * End of servers configuration -@@ -155,3 +329,4 @@ $cfg['SaveDir'] = ''; - * You can find more configuration options in the documentation - * in the doc/ folder or at . - */ -+ -Index: libraries/vendor_config.php -=================================================================== ---- libraries/vendor_config.php.orig -+++ libraries/vendor_config.php +diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php +--- phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php 2016-05-25 19:07:44.000000000 +0200 ++++ phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php 2016-05-28 10:33:10.089295600 +0200 @@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) { * Path to changelog file, can be gzip compressed. Useful when you want to * have documentation somewhere else, eg. /usr/share/doc. diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes index 7f10d7d..dc79b8c 100644 --- a/phpMyAdmin.changes +++ b/phpMyAdmin.changes @@ -1,3 +1,36 @@ +------------------------------------------------------------------- +Sat May 28 07:33:29 UTC 2016 - ecsos@opensuse.org + +- update to 4.6.2 (2016-05-25) + - gh#12225 Use https for documentation links + - gh#12234 Fix schema export with too many tables + - gh#12240 Avoid parsing non JSON responses as JSON + - gh#12244 Avoid using too log URLs when getting javascripts + - gh#12118 Fixed setting mixed case languages + - gh#12229 Avoid storing objects in session when debugging SQL + - gh#12249 Fix cookie path on IIS + - gh#11705 Fix occassional 200 errors on Windows + - gh#12219 Fix locking issues when importing SQL + - gh#12231 Avoid confusing warning when mysql extension is missing + - fix issue Improve handling of logout + - fix issue Safer handling of sessions during authentication + - gh#12209 Fix server selection on main page + - gh#12192 Avoid storing full error data in session + - gh#12082 Fixed export of ARCHIVE tables with keys + - gh#11565 Add session reload for config authentication + - gh#12229 Do not fail on errors stored in session + - gh#12248 Fix loading of APC based upload progress bar +- remove PmaAbsoluteUri from phpMyAdmin-config.patch because since + version 4.6.0 it is remove +- Security fixes: + * PMASA-2016-14 (CVE-2016-5097, CWE-661) + https://www.phpmyadmin.net/security/PMASA-2016-14/ + - User SQL queries can be revealed through URL GET parameters, + see PMASA-2016-14 + * PMASA-2016-16 (CVE-2016-5099, CWE-661) + https://www.phpmyadmin.net/security/PMASA-2016-16/ + - Self XSS vulneratbility, see PMASA-2016-16 + ------------------------------------------------------------------- Mon May 9 10:14:44 UTC 2016 - chris@computersalat.de diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec index 35fd113..d854e88 100644 --- a/phpMyAdmin.spec +++ b/phpMyAdmin.spec @@ -1,7 +1,7 @@ # # spec file for package phpMyAdmin # -# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -29,7 +29,7 @@ %define ap_grp nogroup %endif Name: phpMyAdmin -Version: 4.6.1 +Version: 4.6.2 Release: 0 Summary: Administration of MySQL over the web License: GPL-2.0+ @@ -111,7 +111,7 @@ Currently phpMyAdmin can: ## rpmlint: # wrong-file-end-of-line-encoding perl -p -i -e 's|\r\n|\n|' examples/config.manyhosts.inc.php -%patch0 +%patch0 -p1 %patch1 # rpmlint: fix incorrect-fsf-address From 7ed8b2119db38dcf6e3b6b2fd35f79b68c9c4ecca9d3feff99e0600d3098bfe2 Mon Sep 17 00:00:00 2001 From: Andreas Stieger Date: Sat, 28 May 2016 15:42:38 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=259 --- phpMyAdmin.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes index dc79b8c..85e8038 100644 --- a/phpMyAdmin.changes +++ b/phpMyAdmin.changes @@ -23,11 +23,11 @@ Sat May 28 07:33:29 UTC 2016 - ecsos@opensuse.org - remove PmaAbsoluteUri from phpMyAdmin-config.patch because since version 4.6.0 it is remove - Security fixes: - * PMASA-2016-14 (CVE-2016-5097, CWE-661) + * PMASA-2016-14 (CVE-2016-5097, CWE-661, boo#982126) https://www.phpmyadmin.net/security/PMASA-2016-14/ - User SQL queries can be revealed through URL GET parameters, see PMASA-2016-14 - * PMASA-2016-16 (CVE-2016-5099, CWE-661) + * PMASA-2016-16 (CVE-2016-5099, CWE-661, boo#982128) https://www.phpmyadmin.net/security/PMASA-2016-16/ - Self XSS vulneratbility, see PMASA-2016-16 From 620e24df45e94baa922729cdd3fd1ad62a34cfecc37858aa1b662d2d7fc84f82 Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Sun, 29 May 2016 15:13:39 +0000 Subject: [PATCH 3/3] Accepting request 398771 from home:computersalat:devel:php rebase phpMyAdmin-config.patch OBS-URL: https://build.opensuse.org/request/show/398771 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=260 --- phpMyAdmin-config.patch | 31 +++++++++++++++++-------------- phpMyAdmin.changes | 5 +++++ phpMyAdmin.spec | 2 +- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/phpMyAdmin-config.patch b/phpMyAdmin-config.patch index effa137..4095e24 100644 --- a/phpMyAdmin-config.patch +++ b/phpMyAdmin-config.patch @@ -1,6 +1,7 @@ -diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin-4.6.2-all-languages/config.sample.inc.php ---- phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php 2016-05-25 19:07:44.000000000 +0200 -+++ phpMyAdmin-4.6.2-all-languages/config.sample.inc.php 2016-05-28 10:30:30.138092225 +0200 +Index: config.sample.inc.php +=================================================================== +--- config.sample.inc.php.orig ++++ config.sample.inc.php @@ -11,13 +11,56 @@ */ @@ -41,7 +42,7 @@ diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin + * Default: en + */ +/* $cfg['DefaultLang'] = 'de'; -+ ++ +/** * This is needed for cookie based authentication to encrypt password in * cookie @@ -55,7 +56,7 @@ diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin * Servers configuration + * + * for more info/explanation about these VARS have look at -+ * libraries/config.default.php ++ * libraries/config.default.php */ $i = 0; @@ -104,12 +105,7 @@ diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin -// $cfg['Servers'][$i]['controlport'] = ''; -// $cfg['Servers'][$i]['controluser'] = 'pma'; -// $cfg['Servers'][$i]['controlpass'] = 'pmapass'; -+$cfg['Servers'][$i]['controlhost'] = 'localhost'; -+$cfg['Servers'][$i]['controlport'] = ''; -+/* -+$cfg['Servers'][$i]['controluser'] = 'pma'; -+$cfg['Servers'][$i]['controlpass'] = 'pmapass'; - +- -/* Storage database and tables */ -// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin'; -// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark'; @@ -133,6 +129,12 @@ diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates'; -/* Contrib / Swekey authentication */ -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf'; ++$cfg['Servers'][$i]['controlhost'] = 'localhost'; ++$cfg['Servers'][$i]['controlport'] = ''; ++/* ++$cfg['Servers'][$i]['controluser'] = 'pma'; ++$cfg['Servers'][$i]['controlpass'] = 'pmapass'; ++ +/** + * The name of the database containing the phpMyAdmin configuration storage. + * @@ -249,9 +251,10 @@ diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin /** * End of servers configuration -diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php ---- phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php 2016-05-25 19:07:44.000000000 +0200 -+++ phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php 2016-05-28 10:33:10.089295600 +0200 +Index: libraries/vendor_config.php +=================================================================== +--- libraries/vendor_config.php.orig ++++ libraries/vendor_config.php @@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) { * Path to changelog file, can be gzip compressed. Useful when you want to * have documentation somewhere else, eg. /usr/share/doc. diff --git a/phpMyAdmin.changes b/phpMyAdmin.changes index 85e8038..6df2e89 100644 --- a/phpMyAdmin.changes +++ b/phpMyAdmin.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Sun May 29 15:07:43 UTC 2016 - chris@computersalat.de + +- rebase phpMyAdmin-config.patch + ------------------------------------------------------------------- Sat May 28 07:33:29 UTC 2016 - ecsos@opensuse.org diff --git a/phpMyAdmin.spec b/phpMyAdmin.spec index d854e88..818d1c6 100644 --- a/phpMyAdmin.spec +++ b/phpMyAdmin.spec @@ -111,7 +111,7 @@ Currently phpMyAdmin can: ## rpmlint: # wrong-file-end-of-line-encoding perl -p -i -e 's|\r\n|\n|' examples/config.manyhosts.inc.php -%patch0 -p1 +%patch0 %patch1 # rpmlint: fix incorrect-fsf-address