|
|
|
|
@@ -1,3 +1,144 @@
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sat Nov 26 15:32:19 UTC 2016 - ecsos@opensuse.org
|
|
|
|
|
|
|
|
|
|
- update to 4.6.5.1 (2016-11-26)
|
|
|
|
|
- quick fix for 4.6.5
|
|
|
|
|
* an issue affecting a small number of users using
|
|
|
|
|
$cfg['Servers'][$i]['hide_db'] or $cfg['Servers'][$i]['only_db'].
|
|
|
|
|
* an issue affecting the create table dialog where the partition
|
|
|
|
|
selection tool was overzealous and made it difficult to create
|
|
|
|
|
a new table.
|
|
|
|
|
|
|
|
|
|
- update to 4.6.5 (2016-11-25)
|
|
|
|
|
- security fixes
|
|
|
|
|
* Fix for expanding in navigation pane
|
|
|
|
|
* Reintroduced a simplified version of PmaAbsoluteUri directive
|
|
|
|
|
(needed with reverse proxies)
|
|
|
|
|
* Fix editing of ENUM/SET/DECIMAL field structures
|
|
|
|
|
* Improvements to the parser
|
|
|
|
|
- other fixes
|
|
|
|
|
* Remove potentionally license problematic sRGB profile
|
|
|
|
|
* gh#12459 Display read only fields as read only when editing
|
|
|
|
|
* gh#12384 Fix expanding of navigation pane when clicking on database
|
|
|
|
|
* gh#12430 Impove partitioning support
|
|
|
|
|
* gh#12374 Reintroduced simplified PmaAbsoluteUri configuration directive
|
|
|
|
|
* Always use UTC time in HTTP headers
|
|
|
|
|
* gh#12479 Simplified validation of external links
|
|
|
|
|
* gh#12483 Fix browsing tables with built in transformations
|
|
|
|
|
* gh#12485 Do not show warning about short blowfish_secret if none is set
|
|
|
|
|
* gh#12251 Fixed random logouts due to wrong cookie path
|
|
|
|
|
* gh#12480 Fixed editing of ENUM/SET/DECIMAL fields structure
|
|
|
|
|
* gh#12497 Missing escaping of configuration used in SQL (hide_db and only_db)
|
|
|
|
|
* gh#12476 Add error checking in reading advisory rules file
|
|
|
|
|
* gh#12477 Add checking missing elements and confirming element types from json_decode
|
|
|
|
|
* gh#12251 Automatically save SQL query in browser local storage rather than in cookie
|
|
|
|
|
* gh#12292 Unable to edit transformations
|
|
|
|
|
* gh#12502 Remove unused paramenter when connecting to MySQLi
|
|
|
|
|
* gh#12303 Fix number formatting with different settings of precision in PHP
|
|
|
|
|
* gh#12405 Use single quotes in PHP code
|
|
|
|
|
* gh#12534 Option for the dropped column is not removed from 'after_field' select, after the column is dropped
|
|
|
|
|
* gh#12531 Properly detect DROP DATABASE queries
|
|
|
|
|
* gh#12470 Fix possible race condition in setting URL hash
|
|
|
|
|
* gh#11924 Remove caching of server information
|
|
|
|
|
* gh#11628 Proper parsing of INSERT ... ON DUPLICATE KEY queries
|
|
|
|
|
* gh#12545 Proper parsing of CREATE TABLE ... PARTITION queries
|
|
|
|
|
* gh#12473 Code can throw unhandled exception
|
|
|
|
|
* gh#12550 Do not try to keep alive session even after expiry
|
|
|
|
|
* gh#12512 Fixed rendering BBCode links in setup
|
|
|
|
|
* gh#12518 Fixed copy of table with generated columns
|
|
|
|
|
* gh#12221 Fixed export of table with generated columns
|
|
|
|
|
* gh#12320 Copying a user does not copy usergroup
|
|
|
|
|
* gh#12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows
|
|
|
|
|
* gh#12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab
|
|
|
|
|
* gh#12554 Absence of scrolling makes it impossible to read longer text values in grid editing
|
|
|
|
|
* gh#12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate
|
|
|
|
|
* gh#12300 Export selective tables by-default dumps Events also
|
|
|
|
|
* gh#12298 Fixed export of view definitions
|
|
|
|
|
* gh#12242 Edit routine detail dialog does not fill "Return length" field in mysql functions
|
|
|
|
|
* gh#12575 New index Confirm adds whitespace around the field name
|
|
|
|
|
* gh#12382 Bug in zoom search
|
|
|
|
|
* gh#12321 Assign LIMIT clause only to syntactically correct queries
|
|
|
|
|
* gh#12461 Can't Execute SQL With Sub-Query Due To "LIMIT 0,25" Inserted At Wrong Place
|
|
|
|
|
* gh#12511 Clarify documentation on ArbitraryServerRegexp
|
|
|
|
|
* gh#12508 Remove duplicate code in SQL escaping
|
|
|
|
|
* gh#12475 Cleanup code for getting table information
|
|
|
|
|
* gh#12579 phpMyAdmin's export of a Select statment without a FROM clause generates Wrong SQL
|
|
|
|
|
* gh#12316 Correct export of complex SELECT statements
|
|
|
|
|
* gh#12080 Fixed parsing of subselect queries
|
|
|
|
|
* gh#11740 Fixed handling DELETE ... USING queries
|
|
|
|
|
* gh#12100 Fixed handling of CASE operator
|
|
|
|
|
* gh#12455 Query history stores separate entry for every letter typed
|
|
|
|
|
* gh#12327 Create PHP code no longer works
|
|
|
|
|
* gh#12179 Fixed bookmarking of query with multiple statements
|
|
|
|
|
* gh#12419 Wrong description on GRANT OPTION
|
|
|
|
|
* gh#12615 Fixed regexp for matching browser versions
|
|
|
|
|
* gh#12569 Avoid showing import errors twice
|
|
|
|
|
* gh#12362 prefs_manage.php can leave an orphaned temporary file
|
|
|
|
|
* gh#12619 Unable to export csv when using union select
|
|
|
|
|
* gh#12625 Broken Edit links in query results of JOIN query
|
|
|
|
|
* gh#12634 Drop DB error in import if DB doesn't exist
|
|
|
|
|
* gh#12338 Designer reverts to first saved ER after EACH relation create or delete
|
|
|
|
|
* gh#12639 'Show trace' in Console generates JS error for functions in query's trace called without any arguments
|
|
|
|
|
* gh#12366 Fix user creation with certain MariaDB setups
|
|
|
|
|
* gh#12616 Refuse to work with mbstring.func_overload enabled
|
|
|
|
|
* gh#12472 Properly report connection without password in setup
|
|
|
|
|
* gh#12365 Fix records count for large tables
|
|
|
|
|
* gh#12533 Fix records count for complex queries
|
|
|
|
|
* gh#12454 Query history not updated in console until page refresh
|
|
|
|
|
* gh#12344 Fixed parsing of labels in loop
|
|
|
|
|
* gh#12228 Fixed parsing of BEGIN labels
|
|
|
|
|
* gh#12637 Fixed editing some timestamp values
|
|
|
|
|
* gh#12622 Fixed javascript error in designer
|
|
|
|
|
* gh#12334 Missing page indicator or VIEWs
|
|
|
|
|
* gh#12610 Export of tables with Timestamp/Datetime/Time columns defined with ON UPDATE clause with precision fails
|
|
|
|
|
* gh#12661 Error inserting into pma__history after timeout
|
|
|
|
|
* gh#12195 Row_format = fixed not visible
|
|
|
|
|
* gh#12665 Cannot add a foreign key - non-indexed fields not listed in InnoDB tables
|
|
|
|
|
* gh#12674 Allow for proper MySQL-allowed strings as identifiers
|
|
|
|
|
* gh#12651 Allow for partial dates on table insert page
|
|
|
|
|
* gh#12681 Fixed designer with tables using special chars
|
|
|
|
|
* gh#12652 Fixed visual query builder for foreign keys with more fields
|
|
|
|
|
* gh#12257 Improved search page performance
|
|
|
|
|
* gh#12322 Avoid selecting default function for foreign keys
|
|
|
|
|
* gh#12453 Fixed escaping of SQL parts in some corner cases
|
|
|
|
|
* gh#12542 Missing table name in account privileges editor
|
|
|
|
|
* gh#12691 Remove ksort call on empty array in PMA_getPlugins function
|
|
|
|
|
* gh#12443 Check parameter type before processing
|
|
|
|
|
* gh#12299 Avoid generating too long URLs in search
|
|
|
|
|
* gh#12361 Fix self SQL injection in table-specific privileges
|
|
|
|
|
* gh#12698 Add link to release notes and download on new version notification
|
|
|
|
|
* gh#12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function)
|
|
|
|
|
- fix for boo#1012271
|
|
|
|
|
https://www.phpmyadmin.net/security/
|
|
|
|
|
* Unsafe generation of $cfg['blowfish_secret']
|
|
|
|
|
see PMASA-2016-58 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* phpMyAdmin's phpinfo functionality is removed
|
|
|
|
|
see PMASA-2016-59 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* AllowRoot and allow/deny rule bypass with specially-crafted username
|
|
|
|
|
see PMASA-2016-60 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* Username matching weaknesses with allow/deny rules
|
|
|
|
|
see PMASA-2016-61 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* Possible to bypass logout timeout
|
|
|
|
|
see PMASA-2016-62 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* Full path disclosure (FPD) weaknesses
|
|
|
|
|
see PMASA-2016-63 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* Multiple XSS weaknesses
|
|
|
|
|
see PMASA-2016-64 (CVE ids: Not yet assigned , CWE-661, CWE-352)
|
|
|
|
|
* Multiple denial-of-service (DOS) vulnerabilities
|
|
|
|
|
see PMASA-2016-65 (CVE ids: Not yet assigned , CWE-661, CW-400)
|
|
|
|
|
* Possible to bypass white-list protection for URL redirection
|
|
|
|
|
see PMASA-2016-66 (CVE ids: Not yet assigned , CWE-661, CWE-20, CWE-601)
|
|
|
|
|
* BBCode injection to login page
|
|
|
|
|
see PMASA-2016-67 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* Denial-of-service (DOS) vulnerability in table partitioning
|
|
|
|
|
see PMASA-2016-68 (CVE ids: Not yet assigned , CWE-661, CWE-400)
|
|
|
|
|
* Multiple SQL injection vulnerabilities
|
|
|
|
|
see PMASA-2016-69 (CVE ids: Not yet assigned , CWE-661, CWE-89)
|
|
|
|
|
* Incorrect serialized string parsing
|
|
|
|
|
see PMASA-2016-70 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
* CSRF token not stripped from the URL
|
|
|
|
|
see PMASA-2016-71 (CVE ids: Not yet assigned , CWE-661)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Nov 6 16:27:00 UTC 2016 - chris@computersalat.de
|
|
|
|
|
|
|
|
|
|
|
Git OBS Bridge