Accepting request 419986 from home:computersalat:devel:php

update to 4.6.4, fix for boo#994313 OBS-URL: https://build.opensuse.org/request/show/419986 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=264
2016-08-18 14:48:55 +00:00
parent 6f9b3f166e
commit 98777dc65f
9 changed files with 188 additions and 27 deletions
--- a/phpMyAdmin.changes
+++ b/phpMyAdmin.changes
@@ -1,3 +1,107 @@
+-------------------------------------------------------------------
+Thu Aug 18 13:31:57 UTC 2016 - chris@computersalat.de
+
+- 4.6.4 (2016-08-16)
+ - securitiy fixes
+  * Improve session cookie code for openid.php and signon.php example
+     files
+  * Full path disclosure in openid.php and signon.php example files
+  * Unsafe generation of BlowfishSecret (when not supplied by the user)
+  * Referrer leak when phpinfo is enabled
+  * Use HTTPS for wiki links
+  * Improve SSL certificate handling
+  * Fix full path disclosure in debugging code
+  * Administrators could trigger SQL injection attack against users
+ - other fixes
+  * Remove Swekey support
+  * Include X-Robots-Tag header in responses
+  * Enforce numeric field length when creating table
+  * Fixed invalid Content-Length in some HTTP responses
+  * gh#12394 Create view should require a view name
+  * gh#12391 Message with 'Change password successfully' displayed,
+     but does not take effect
+  * Tighten control on PHP sessions and session cookies
+  * gh#12409 Re-enable overhead on server databases view
+  * gh#12414 Fixed rendering of Original theme
+  * gh#12413 Fixed deleting users in non English locales
+  * gh#12416 Fixed replication status output in Databases listing
+  * gh#12303 Avoid typecasting to float when not needed
+  * gh#12425 Duplicate message variable names in messages.inc.php
+  * gh#12399 Adding index to table shows wrong top navigation
+  * gh#12424 Fixed password change on MariaDB without auth plugin
+  * gh#12339 Do not error on unset server port
+  * gh#12422 Improvements to the original theme
+  * gh#12395 Do not try to load old transformation plugins
+  * gh#12423 Fixed replication status in database listing
+  * gh#12433 Copy table with prefix does not copy the indexes
+  * gh#12375 Search in database: Window content is not scrolling down
+     when clicking first time on Browse link
+  * gh#12346 SQL Editor textareas can have their size increased from
+     the top, distorting the page view
+- fix for boo#994313
+  https://www.phpmyadmin.net/security/
+  * Weaknesses with cookie encryption
+     see PMASA-2016-29 (CVE-2016-6606, CWE-661)
+  * Multiple XSS vulnerabilities
+     see PMASA-2016-30 (CVE-2016-6607, CWE-661)
+  * Multiple XSS vulnerabilities
+     see PMASA-2016-31 (CVE-2016-6608, CWE-661)
+  * PHP code injection
+     see PMASA-2016-32 (CVE-2016-6609, CWE-661)
+  * Full path disclosure
+     see PMASA-2016-33 (CVE-2016-6610, CWE-661)
+  * SQL injection attack
+     see PMASA-2016-34 (CVE-2016-6611, CWE-661)
+  * Local file exposure through LOAD DATA LOCAL INFILE
+     see PMASA-2016-35 (CVE-2016-6612, CWE-661)
+  * Local file exposure through symlinks with UploadDir
+     see PMASA-2016-36 (CVE-2016-6613, CWE-661)
+  * Path traversal with SaveDir and UploadDir
+     see PMASA-2016-37 (CVE-2016-6614, CWE-661)
+  * Multiple XSS vulnerabilities
+     see PMASA-2016-38 (CVE-2016-6615, CWE-661)
+  * SQL injection vulnerability as control user
+     see PMASA-2016-39 (CVE-2016-6616, CWE-661)
+  * SQL injection vulnerability
+     see PMASA-2016-40 (CVE-2016-6617, CWE-661)
+  * Denial-of-service attack through transformation feature
+     see PMASA-2016-41 (CVE-2016-6618, CWE-661)
+  * SQL injection vulnerability as control user
+     see PMASA-2016-42 (CVE-2016-6619, CWE-661)
+  * Verify data before unserializing
+     see PMASA-2016-43 (CVE-2016-6620, CWE-661)
+  * SSRF in setup script
+     see PMASA-2016-44 (CVE-2016-6621, CWE-661)
+  * Denial-of-service attack with
+     $cfg['AllowArbitraryServer'] = true and persistent connections
+     see PMASA-2016-45 (CVE-2016-6622, CWE-661)
+  * Denial-of-service attack by using for loops
+     see PMASA-2016-46 (CVE-2016-6623, CWE-661)
+  * Possible circumvention of IP-based allow/deny rules with IPv6 and
+     proxy server
+     see PMASA-2016-47 (CVE-2016-6624, CWE-661)
+  * Detect if user is logged in
+     see PMASA-2016-48 (CVE-2016-6625, CWE-661)
+  * Bypass URL redirection protection
+     see PMASA-2016-49 (CVE-2016-6626, CWE-661)
+  * Referrer leak
+     see PMASA-2016-50 (CVE-2016-6627, CWE-661)
+  * Reflected File Download
+     see PMASA-2016-51 (CVE-2016-6628, CWE-661)
+  * ArbitraryServerRegexp bypass
+     see PMASA-2016-52 (CVE-2016-6629, CWE-661)
+  * Denial-of-service attack by entering long password
+     see PMASA-2016-53 (CVE-2016-6630, CWE-661)
+  * Remote code execution vulnerability when running as CGI
+     see PMASA-2016-54 (CVE-2016-6631, CWE-661)
+  * Denial-of-service attack when PHP uses dbase extension
+     see PMASA-2016-55 (CVE-2016-6632, CWE-661)
+  * Remove tode execution vulnerability when PHP uses dbase extension
+     see PMASA-2016-56 (CVE-2016-6633, CWE-661)
+- fix deps
+  * add missing php-gettext
+- rebase phpMyAdmin-config.patch
+
 -------------------------------------------------------------------
 Thu Jun 23 12:10:01 UTC 2016 - chris@computersalat.de