- This is a fast-reaction patch: no details about the vulnerability
are available yet, other than it involves XSS.
- VuXML to follow, once the advisories are published
Welcome to phpMyAdmin 3.5.0; here are the major new features:
* browse-mode improvements
** grid editing
** remember recent tables
** remember last sort order by table
** flexible column width
** reorder columns
** more compact navigation bar
* AJAXification of many operations
* reorganised server status page, with server monitoring
* improved support for stored routines, events and triggers
* openGIS support
* zoom-search in table search
* Drizzle support
* improved ENUM/SET editor
Or see: http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.5.0/phpMyAdmin-3.5.0-notes.html/view
Approved by: shaun (mentor)
Feature safe: yes
XSS in replication setup
ChangeLog:
Welcome to phpMyAdmin 3.4.10.1, a minor security release.
3.4.10.1 (2012-02-18)
- [security] XSS in replication setup, see PMASA-2012-1
Security Advisory:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-1.php
Approved by: shaun (mentor)
ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.4.10/phpMyAdmin-3.4.10-notes.html/view
3.4.10.0 (2012-02-14)
- bug #3460090 [interface] TextareaAutoSelect feature broken
- patch #3375984 [export] PHP Array export might generate invalid php code
- bug #3049209 [import] Import from ODS ignores cell that is the same as cell be
fore
- bug #3463933 [display] SELECT DISTINCT displays wrong total records found
- patch #3458944 [operations] copy table data missing SET SQL_MODE='NO_AUTO_VALU
E_ON_ZERO'
- bug #3469254 [edit] Setting data to NULL and drop-downs
- bug #3477063 [edit] Missing set fields and values in generated INSERT query
- bug #3460867 [libraries] license issue with TCPDF (updated to 5.9.145)
Other Changes:
* Drop USE_MYSQL=compat and IGNORE_WITH_MYSQL=41 -- phpmyadmin has
not suddenly grown compatibility for older versions of MySQL.
However, USE_MYSQL implies an dependency on mysql-client, but
phpmyadmin can operate just fine with only the php mysqlnd
drivers.
* Add a new WITH_MYSQL Options knob (off by default) -- if you want
to use the mysql-client driver.
* PHP52 doesn't have mysqlnd drivers, so require at least one of
WITH_MYSQL or WITH_MYSQLI to be selected.
Approved by: shaun (mentor)
release with minor security corrections.
Please refer to the upcoming PMASA-2011-19 and PMASA-2011-20
announcements on http://www.phpmyadmin.net/home_page/security.
Details will appear on http://phpmyadmin.net. In a hurry? you can visit
http://sourceforge.net/projects/phpmyadmin to download.
Marc Delisle, for the team"
ChangeLog:
3.4.9.0 (not yet released)
- bug #3442028 [edit] Inline editing enum fields with null shows no dropdown
- bug #3442004 [interface] DB suggestion not correct for user with underscore
- bug #3438420 [core] Magic quotes removed in PHP 5.4
- bug #3398788 [session] No feedback when result is empty (signon auth_type)
- bug #3384035 [display] Problems regarding ShowTooltipAliasTB
- bug #3306875 [edit] Can't rename a database that contains views
- bug #3452506 [edit] Unable to move tables with triggers
- bug #3449659 [navi] Fast filter broken with table tree
- bug #3448485 [GUI] Firefox favicon frameset regression
- [core] Better compatibility with mysql extension
- [security] Self-XSS on export options (export server/database/table), see PMASA-2011-20
- [security] Self-XSS in setup (host parameter), see PMASA-2011-19
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.4.9-rc1/phpMyAdmin-3.4.9-rc1-notes.html/download
For the port:
Switch to using lzma compressed tarballs, for a saving of about 1MB
per download.
PR: ports/163290
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk>
This is the formal release of the fix to CVE-2011-4634, but there are
no code differences from the preliminary fixes released in 3.4.8-rc1
except for the updated version number.
PMSA-2011-18 has now been published; vuxml entry attached.
PR: ports/163001
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
Feature safe: yes
Announcement:
"Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix
release with minor security corrections.
Please refer to the upcoming PMASA-2011-18 announcement on
http://www.phpmyadmin.net/home_page/security.
Marc Delisle, for the team"
Welcome to the first release candidate for phpMyAdmin 3.4.8, a bugfix
release with minor security corrections.
3.4.8.0 (not yet released)
- bug #3425230 [interface] enum data split at space char (more space to
edit)
- bug #3426840 [interface] ENUM/SET editor can't handle commas in values
- bug #3427256 [interface] no links to browse/empty views and tables
- bug #3430377 [interface] Deleted search results remain visible
- bug #3428627 [import] ODS import ignores memory limits
- bug #3426836 [interface] Visual column separation
- bug #3428065 [parser] TRUE not recognized by parser
+ patch #3433770 [config] Make location of php-gettext configurable
- patch #3430291 [import] Handle conflicts in some open_basedir situations
- bug #3431427 [display] Dropdown results - setting NULL does not work
- patch #3428764 [edit] Inline edit on multi-server configuration
- patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
- [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
view name in main panel db Structure page
- bug #3439292 [core] Fail to synchronize column with name of keyword
- bug #3425156 [interface] Add column after drop
- [interface] Avoid showing the password in phpinfo()'s output
- bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
- bug #3407235 [interface] Entering the key through a lookup window does not
reset NULL
- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
- [security] Self-XSS on column type (Create index), see PMASA-2011-18
- [security] Self-XSS on column type (table Search), see PMASA-2011-18
- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
PR: ports/162873
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
Feature safe: yes
ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files%2FphpMyAdmin%2F3.4.7%2FphpMyAdmin-3.4.7.html/view
Welcome to phpMyAdmin 3.4.7, a bugfix release.
3.4.7.0 (2011-10-23)
- bug #3418610 [interface] Links in navigation when $cfg['MainPageIconic'] = false
- bug #3418849 [interface] Inline edit shows dropdowns even after closing
- bug [view] View renaming did not work
- bug [navi] Wrong icon for view (MySQL 5.5)
- bug #3420229 [doc] Missing documentation section
- bug #3423725 [pdf] Broken PDF file when exporting database to PDF
- [core] Allow to set language in URL
- bug #3425184 [doc] Fix links to PHP documentation
- bug #3426031 [export] Export to bzip2 is not working
PR: ports/161937
Submitted by: maintainer
of security fixes in the announcement message and changelog, all of
the fixes were already applied in the previous port update (to
3.4.6-rc1). In fact, diff'ing the distfile tarballs between 3.4.6-rc1
and 3.4.6 shows that the only change is to update the version number.
Announcement message:
"Welcome to phpMyAdmin 3.4.6, a bugfix and minor security release.
Please refer to the upcoming PMASA-2011-15 and -16 announcements on
http://www.phpmyadmin.net/home_page/security.
Details will appear on http://phpmyadmin.net.
Marc Delisle, for the team"
ChangeLog:
http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/3.4.6/phpMyAdmin-3.4.6.html/download
The advisories PMASA-15 and PMASA-16 still have not yet been published.
PR: ports/161709
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
From the announce message:
"Welcome to the first release candidate of phpMyAdmin 3.4.6, a bugfix
release containing also fixes for minor security problems.
Details will appear on http://phpmyadmin.net. In a hurry? you can visit
http://sourceforge.net/projects/phpmyadmin to download.
Marc Delisle, for the team"
Security Advisories:
PMASA-2011-15
PMASA-2011-16
(These are not published yet...)
ChangeLog:
(http://sourceforge.net/projects/phpmyadmin/files%2FphpMyAdmin%2F3.4.6-rc1%2FphpMyAdmin-3.4.6-rc1.html/view)
Welcome to the first release candidate for phpMyAdmin 3.4.6, a bugfix release containing also fixes for minor security problems.
3.4.6.0 (not yet released)
- patch #3404173 InnoDB comment display with tooltips/aliases
- bug #3404886 [navi] Edit SQL statement after error
- bug #3403165 [interface] Collation not displayed for long enum fields
- bug #3399951 [export] Config for export compression not used
- bug #3400690 [privileges] DB-specific privileges won't submit
- bug #3410604 [config] Configuration storage incorrect suggested table name
- bug #3383572 [interface] Cannot execute saved query
- bug #3411535 [display] Full text button unchecks results display options
- bug #3411224 [display] Broken binary column when 'Show binary contents' is not set
- bug #3411633 [core] Call to undefined function PMA_isSuperuser()
- bug #3413743 [interface] Display options link missing after search
- bug #3324161 [core] CSP policy causing designer JS buttons to fail
- bug #3412862 [relation] Relations/constraints are dropped/created on every change
- bug #3390832 [display] Delete records from last page breaks search
- bug #3392150 [schema] PMA_User_Schema::processUserChoice() is broken
- bug #3414744 [core] External link fails in 3.4.5
- patch #3314626 [display] CharTextareaRows is not respected
- bug #3417089 [synchronize] Extraneous db choices
- [security] Fixed local path disclosure vulnerability, see PMASA-2011-15
- [security] Fixed XSS in setup (host/verbose parameter), see PMASA-2011-16
PR: ports/161337
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk> [maintainer]
http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
Announcement-ID: PMASA-2011-2
Date: 2011-02-11
Summary
SQL query could be executed under another user.
Description
It was possible to create a bookmark which would be executed
unintentionally by other users.
Severity
We consider this vulnerability to be critical.
PR: ports/154695
Submitted by: me
Approved by: maintainer
Changes:
- bug #3059311 [import] BIGINT field type added to table analysis
- [core] Update library PHPExcel to version 1.7.4
- bug #3062455 [core] copy procedures and routines before tables
- bug #3062455 [export] with SQL, export procedures and routines before tables
- bug #3056023 [import] USE query not working
- bug #3038193 [display] Error when editing row with GEOMETRY column
- bug #3062454 [interface] Display routines/events also when no tables are
defined
- support ARIA storage engine as well as its previous name MARIA
PR: ports/151738
Submitted by: Matthew Seaman <m.seaman@infracaninophile.co.uk> (maintainer)
Approved by: pgollucci (mentor, implicit)