Accepting request 398442 from home:ecsos:server

update to 4.6.2
Also include:
- Security fixes:
+  * PMASA-2016-14 (CVE-2016-5097, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-14/
+    - User SQL queries can be revealed through URL GET parameters,
+      see PMASA-2016-14
+  * PMASA-2016-16 (CVE-2016-5099, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-16/
+    - Self XSS vulneratbility, see PMASA-2016-16

OBS-URL: https://build.opensuse.org/request/show/398442
OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpMyAdmin?expand=0&rev=258

phpMyAdmin-4.6.1-all-languages.tar.xz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cc85edc5b71bacf6fead0ffaecbd5395fa31fd7bfd6b4a9b12720baa7e715b66
-size 6109268

phpMyAdmin-4.6.1-all-languages.tar.xz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iQIcBAABAgAGBQJXJ8YFAAoJEM51LxeCWb2SnlMQALvBPcVpGtGtkD/akvRj/Ydq
-MB9DLrpAmTOMAmh/dgBsEmcDDdH8lndim2eJ06H5rfkTCFNKLFsg7oMEIMJ8NMUT
-1+qNQoGPjOhZxDC3XylfzGgGY06/ZC8h8uMV5wXQEc43RZqSjfUrU+epMwllwJg/
-2E3MD9HvZro+sZblJtnoPGtrKX0qWNwLmWx44g6j/fySAjco+d5dAsqATmEponwu
-E9yKklU5zsXASEvp9DEj7RDuv35i8Faz1NUq8MLxVaPuLfB9ySb9vXGOVTwauTfo
-Kj5eb87kERsoQeZ+vtOxYY19nEma6D8cYdUOqEdd3P7b7EnbVvxmcVtD9/nOPZm0
-IIhBU6jg0wkk0HgYFjp+FUGZhODiodJDpwrWOexuUpnWMcsQnYP4BxWu9OGmsoR/
-9QxLa5jRlPE5gUr/oLcT85QTHmTWfGC94cJqp1z0S5uOBrrUR4YhvOLfEXEGSKib
-xISEWzFthgZNAS+kbZ0TyIknn9agBknOM8H1Crcue7A0hyWEN/r0M2OPTezMpRGd
-Uc5NXutMGNjCLEYupymrpJ5qokSsD5JFdRFcbFF9nQ136tKk/jbrI9CLgCfAHEon
-Tfwl/023JnA8Ja8FFkQ8Ux1RtJtTr8J62JY9/DP8ke3z43cgqUYJUZqF/NAPZG/w
-4/k/rBrL9QMW+Fbv5hsd
-=EsaU
------END PGP SIGNATURE-----

phpMyAdmin-4.6.2-all-languages.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:2ae6f6f0e8697b5ab5d0334bb16fa59da9143dce0d4576e6370ef54f7ad28872
+size 6128060

phpMyAdmin-4.6.2-all-languages.tar.xz.asc

@@ -0,0 +1,17 @@
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v1
+
+iQIcBAABAgAGBQJXRdzsAAoJEM51LxeCWb2S6twP/RgEIqZLTb6owbFcluemz7Ca
+IPIjJAar09RAItb26AaASYEl4Hte9pTnGbXhF8Kob8uPRR28Zsv+WKjMa1TS3shx
+K05OXqe7lH49a0nCL1Ytcb7AhXr/vSOaoRGP8Y8HrzK9wnD6GdNf/2O9Ms9CKtvt
+4SJx0LyqRoW0jrqXUUzJ1vMNWuOehtPZm5eb5HnuvRWpg7hUBUaU8X+5jywuzDkT
+ueduW9plpuNtODZaYF0Awd2uyLgkaUM7BtC0wGB2B4BE4ywUTIVoq0XJhAhVyDqX
+f+xK/ynKSot3S5Hi5Ba/ZAINQ+4ckMQTBho2gA23poX6ieQXhogZAQKwgcoInsFz
+09E93crz6oInuUCKPvpmbCkJ1liIz340RETPsz6RF8nR4sNevzE/4kU6jPAlTljZ
+6JMArTE1T5rU7CZDEncqdNVZBbhCTK0aBJI9pVX/z8Fl+qUR9wNececfkBROaDyU
+1EmMEtFLgvI69OiCf1i6Zs/7N92WPNEuBq67SO57d4ddIG3jw46pXD5UiPhVWdw3
+jiP1FkTuO5rv3UJ8Csp2AGx1Mz9KejxxL+x/qkes8+Trmvtzy01yuUHaUWTxf3vO
+aZiWWtNPUYxwliNpN1O02FMtao1PczywXPdrUURLAIE0YJfnacyFRsVxBWOdJQLy
+Yap2geqJTeLyvjHDO/2b
+=EcxN
+-----END PGP SIGNATURE-----

phpMyAdmin-config.patch

@@ -1,30 +1,10 @@
-Index: config.sample.inc.php
-===================================================================
---- config.sample.inc.php.orig
-+++ config.sample.inc.php
-@@ -11,13 +11,76 @@
+diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php phpMyAdmin-4.6.2-all-languages/config.sample.inc.php
+--- phpMyAdmin-4.6.2-all-languages.orig/config.sample.inc.php	2016-05-25 19:07:44.000000000 +0200
++++ phpMyAdmin-4.6.2-all-languages/config.sample.inc.php	2016-05-28 10:30:30.138092225 +0200
+@@ -11,13 +11,56 @@
   */
  
  /**
-+ * Your phpMyAdmin url
-+ *
-+ * Complete the variable below with the full url ie
-+ *    https://www.your_web.net/path_to_your_phpMyAdmin_directory/
-+ *
-+ * It must contain characters that are valid for a URL, and the path is
-+ * case sensitive on some Web servers, for example Unix-based servers.
-+ *
-+ * In most cases you can leave this variable empty, as the correct value
-+ * will be detected automatically. However, we recommend that you do
-+ * test to see that the auto-detection code works in your system. A good
-+ * test is to browse a table, then edit a row and save it.  There will be
-+ * an error message if phpMyAdmin cannot auto-detect the correct value.
-+ *
-+ * Default: ''
-+ */
-+/* $cfg['PmaAbsoluteUri'] = '';
-+
-+/**
 + * Disable the default warning that is displayed on the DB Details Structure
 + * page if any of the required Tables for the relationfeatures could not be
 + * found
@@ -61,7 +41,7 @@ Index: config.sample.inc.php
 + * Default: en
 + */
 +/* $cfg['DefaultLang'] = 'de';
-+
++ 
 +/**
   * This is needed for cookie based authentication to encrypt password in
   * cookie
@@ -70,17 +50,16 @@ Index: config.sample.inc.php
   */
 -$cfg['blowfish_secret'] = ''; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
 +$cfg['blowfish_secret'] = '';
-+
  
  /**
   * Servers configuration
 + *
 + * for more info/explanation about these VARS have look at
-+ *  libraries/config.default.php
++ *  libraries/config.default.php 
   */
  $i = 0;
  
-@@ -25,47 +88,158 @@ $i = 0;
+@@ -25,47 +68,155 @@ $i = 0;
   * First server
   */
  $i++;
@@ -112,7 +91,6 @@ Index: config.sample.inc.php
 +$cfg['Servers'][$i]['verbose_check']            = true;
 +$cfg['Servers'][$i]['AllowDeny']['order']       = '';
 +$cfg['Servers'][$i]['AllowDeny']['rules']       = array();
-+
  
  /**
   * phpMyAdmin configuration storage settings.
@@ -121,19 +99,18 @@ Index: config.sample.inc.php
 + *  libraries/config.default.php
   */
  
--/* User used to manipulate with storage */
+ /* User used to manipulate with storage */
 -// $cfg['Servers'][$i]['controlhost'] = '';
 -// $cfg['Servers'][$i]['controlport'] = '';
 -// $cfg['Servers'][$i]['controluser'] = 'pma';
 -// $cfg['Servers'][$i]['controlpass'] = 'pmapass';
-+$cfg['Servers'][$i]['controlhost']              = 'localhost';
-+$cfg['Servers'][$i]['controlport']              = '';
-+/*
-+$cfg['Servers'][$i]['controluser']              = 'pma';
-+$cfg['Servers'][$i]['controlpass']              = 'pmapass';
-+
++$cfg['Servers'][$i]['controlhost'] = 'localhost';
++$cfg['Servers'][$i]['controlport'] = '';
++/* 
++$cfg['Servers'][$i]['controluser'] = 'pma';
++$cfg['Servers'][$i]['controlpass'] = 'pmapass';
  
- /* Storage database and tables */
+-/* Storage database and tables */
 -// $cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
 -// $cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
 -// $cfg['Servers'][$i]['relation'] = 'pma__relation';
@@ -156,7 +133,6 @@ Index: config.sample.inc.php
 -// $cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';
 -/* Contrib / Swekey authentication */
 -// $cfg['Servers'][$i]['auth_swekey_config'] = '/etc/swekey-pma.conf';
-+
 +/**
 + * The name of the database containing the phpMyAdmin configuration storage.
 + *
@@ -273,15 +249,9 @@ Index: config.sample.inc.php
  
  /**
   * End of servers configuration
-@@ -155,3 +329,4 @@ $cfg['SaveDir'] = '';
-  * You can find more configuration options in the documentation
-  * in the doc/ folder or at <http://docs.phpmyadmin.net/>.
-  */
-+
-Index: libraries/vendor_config.php
-===================================================================
---- libraries/vendor_config.php.orig
-+++ libraries/vendor_config.php
+diff -Pdpru phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php
+--- phpMyAdmin-4.6.2-all-languages.orig/libraries/vendor_config.php	2016-05-25 19:07:44.000000000 +0200
++++ phpMyAdmin-4.6.2-all-languages/libraries/vendor_config.php	2016-05-28 10:33:10.089295600 +0200
 @@ -17,18 +17,18 @@ if (! defined('PHPMYADMIN')) {
   * Path to changelog file, can be gzip compressed. Useful when you want to
   * have documentation somewhere else, eg. /usr/share/doc.

phpMyAdmin.changes

@@ -1,3 +1,36 @@
+-------------------------------------------------------------------
+Sat May 28 07:33:29 UTC 2016 - ecsos@opensuse.org
+
+- update to 4.6.2 (2016-05-25)
+  - gh#12225 Use https for documentation links
+  - gh#12234 Fix schema export with too many tables
+  - gh#12240 Avoid parsing non JSON responses as JSON
+  - gh#12244 Avoid using too log URLs when getting javascripts
+  - gh#12118 Fixed setting mixed case languages
+  - gh#12229 Avoid storing objects in session when debugging SQL
+  - gh#12249 Fix cookie path on IIS
+  - gh#11705 Fix occassional 200 errors on Windows
+  - gh#12219 Fix locking issues when importing SQL
+  - gh#12231 Avoid confusing warning when mysql extension is missing
+  - fix issue Improve handling of logout
+  - fix issue Safer handling of sessions during authentication
+  - gh#12209 Fix server selection on main page
+  - gh#12192 Avoid storing full error data in session
+  - gh#12082 Fixed export of ARCHIVE tables with keys
+  - gh#11565 Add session reload for config authentication
+  - gh#12229 Do not fail on errors stored in session
+  - gh#12248 Fix loading of APC based upload progress bar
+- remove PmaAbsoluteUri from phpMyAdmin-config.patch because since
+  version 4.6.0 it is remove
+- Security fixes:
+  * PMASA-2016-14 (CVE-2016-5097, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-14/
+    - User SQL queries can be revealed through URL GET parameters,
+      see PMASA-2016-14
+  * PMASA-2016-16 (CVE-2016-5099, CWE-661)
+    https://www.phpmyadmin.net/security/PMASA-2016-16/
+    - Self XSS vulneratbility, see PMASA-2016-16
+
 -------------------------------------------------------------------
 Mon May  9 10:14:44 UTC 2016 - chris@computersalat.de
 

phpMyAdmin.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package phpMyAdmin
 #
-# Copyright (c) 2016 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -29,7 +29,7 @@
 %define ap_grp nogroup
 %endif
 Name:           phpMyAdmin
-Version:        4.6.1
+Version:        4.6.2
 Release:        0
 Summary:        Administration of MySQL over the web
 License:        GPL-2.0+
@@ -111,7 +111,7 @@ Currently phpMyAdmin can:
 ## rpmlint:
 # wrong-file-end-of-line-encoding
 perl -p -i -e 's|\r\n|\n|' examples/config.manyhosts.inc.php
-%patch0
+%patch0 -p1
 %patch1
 
 # rpmlint: fix incorrect-fsf-address