Changes since version 2.11.9.6:
- [core] safer handling of temporary files with open_basedir
(thanks to Thijs Kinkhorst)
- [core] do not automatically set and create TempDir, it might lead to
security issue (thanks to Thijs Kinkhorst)
- [setup] avoid usage of (un)serialize, what might be unsafe in some cases
This fixes the security vulnerabilities reported in PMASA-2010-1,
PMASA-2010-2 and PMASA-2010-3.
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type "replace" does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- [security] Code execution vulnerability
This update fixes the security vulnerability reported in PMASA-2008-7.
- patch #1987593 [interface] Table list pagination in navi
- bug #1989081 [profiling] Profiling causes query to be executed again
(really causes a problem in case of INSERT/UPDATE)
- bug #1990342 [import] SQL file import very slow on Windows
- bug [XHTML] problem with tabindex and radio fields
- bug #1971221 [interface] tabindex not set correctly
- bug [views] VIEW name created via the GUI was not protected
with backquotes
- bug #1989813 [interface] Deleting multiple views (space in name)
- bug #1992628 [parser] SQL parser removes essential space
- bug #1989281 [export] CSV for MS Excel incorrect escaping of
double quotes
- bug #1959855 [interface] Font size option problem when no
config file
- bug #1982489 [relation] Relationship view should check for changes
- bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen
- bug #2018595 [import] Potential data loss on import resubmit
- patch #2020630 [export] Safari and timedate
- bug #2022182 [import, export] Import/Export fails because of
Mac files
- [security] protection against cross-frame scripting and
new directive AllowThirdPartyFraming
- [security] possible XSS during setup
- [interface] revert language changing problem introduced
with 2.11.7.1
- small fix for notice about "lang"
This update fixes the security vulnerability reported in PMASA-2008-6.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- (2.11.7.1) [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
This update fixes the security vulnerability reported in PMASA-2008-5.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- bug #1903724 [interface] Displaying of very large queries
in error message
- bug #1905711 [compatibility] Functions deprecated in PHP 5.3:
is_a() and get_magic_quotes_gpc()
- bug [lang] catalan wrong accented characters
- bug #1893034 [Export] SET NAMES for importing with command-line
client
+ [lang] Russian update
- bug #1910485 [core] Unsetting the whitelist during the loop
- bug #1906980 [Export] Import of VIEWs fails if temp table exists
- bug #1812763 [Copy] Table copy when server is in ANSI_QUOTES
sql_mode
- bug #1918531 [compatibility] Navigation isn't w3.org valid
- bug #1926357 [data] BIT defaults displayed incorrectly
- patch #1930057 [auth] colon in password prevents HTTP login
on CGI/IIS
- patch #1929553 [lang] Don't output BOM character in Swedish
language file
- patch #1895796 [lang] Typo in Japanese lang files
- bug #1935652 [auth] Access denied (show warning about mcrypt
on login page)
- bug #1906983 [export] Reimport of FUNCTION fails
- bug #1919808 [operations] Renaming a database fails to handle
functions
- bug #1934401 [core] Cannot force a language
- bug #1944077 [core] Config file containing a BOM
- bug #1947189 [scripts] Missing head tag in scripts/signon.php
+ [lang] Romanian update
The new version fixes several bugs including the cross site scripting
vulnerability reported in PMASA-2007-8 and the SQL inject vulnerability
report in PMASA-2008-1.
Change since version 2.10.2:
- creating VIEWs from query results
- managing triggers, procedures and functions
- supports MySQL 5.0.37 query profiling
- improved interface for servers hosting thousands of databases and tables.
- security fixes for PMASA-2007-5, PMASA-2007-6 and PMASA-2007-7
the owner of all installed files is a non-root user. This change
affects most packages that require special users or groups by making
them use the specified unprivileged user and group instead.
(1) Add two new variables PKG_GROUPS_VARS and PKG_USERS_VARS to
unprivileged.mk. These two variables are lists of other bmake
variables that define package-specific users and groups. Packages
that have user-settable variables for users and groups, e.g. apache
and APACHE_{USER,GROUP}, courier-mta and COURIER_{USER,GROUP},
etc., should list these variables in PKG_USERS_VARS and PKG_GROUPS_VARS
so that unprivileged.mk can know to set them to ${UNPRIVILEGED_USER}
and ${UNPRIVILEGED_GROUP}.
(2) Modify packages to use PKG_GROUPS_VARS and PKG_USERS_VARS.
Changes since version 2.9.1.1 (literal quote from the home page):
Version 2.9.2-rc1 contains some security fixes (an advisory will be
published when releasing 2.9.2) and other fixes.
1.) Don't use hardcoded group "wheel". Use "APACHE_GROUP" instead which
defaults to "www".
2.) Create user and group if necessary. This fixces PR pkg/35141 by
Wouter Schoot.
3.) Fix path to Perl interpreter in helper script "convertcfg.pl" and
add missing dependence on Perl package.
Bump package revision because of these fixes.
Changes since version 2.9.0.3:
- Security fixes
- Wrong import when ;; is at buffer boundary
- Duplicate id for checkbox on table Operations page
- Better behavior on the Add new fields page
- Export: csv/cvs typo
- Renaming a db containing a view
- Automated timestamp values
- Import: correctly fail if file is too short
- Default font family on original theme
Changes since version 2.8.0.4:
- XSS vulnerability from requests not containing a token
- Reenable XML option in Export
- State in documentation that your browser must accept cookies
- CVS link was broken on main page
- Adding a user with password containing a backslash
- Removing a default value
- Setup script: compatibility with security tokens
- Setup script: detection of writable config
- Reading the database list with MySQL wildcards
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
Changes since version 2.8.0.2:
- XSS vulnerability (set_theme)
- mysqli problems with zend.ze1_compatibility_mode enabled
- setup script did not save the mysql/mysqli extension
- XSS vulnerability (calling directly css files under themes)
Changes since version 2.8.0.1:
- XSS vulnerability (set_theme)
- mysqli problems with zend.ze1_compatibility_mode enabled
- setup script did not save the mysql/mysqli extension
Package source related changes:
- incooperate fix for phpMyAdmin bug #1436279 to make the package usable
with Safari under Mac OS X again
2.6.4-pl4:
- New plugin-based import module
- Some pages now use fieldsets for better look
- Better support for information_schema
- Upgrade script new options
- Better displaying of privileges when there are differences between the
various user definition tables
- Structure: count unique value for each field
- Can now limit the list of shown languages
- User-specific upload and save server directories
- Remove Drop tab for mysql database
- New transformation: SQL pretty printing
- Ability to limit maximum size of extended insert
- Support for searching in the foreign key window
- Can now replace an existing bookmark
- New shortcuts for IP rules
- Detect lack of privileges for "Create new table"
- Wrong display of localized MySQL error messages
- Need to select the primary key for MIME-based print view
- Handling of ENTER key when adding fields
- InnoDB: truncating icon and exact row count
- After dropping a db, links were missing
- Strict mode and auto-increment fields insertion
- Collation change for ENUM and SET
- Display problems on special characters in column name
- Links for MySQL documentation
- Escaping of "_"
- Could not edit privileges when different host in db and user
- Changing auto-increment value for InnoDB
- Correct sort order for foreign-key dropdowns
- Group database by rightmost separator
- Performance problem when inserting huge BLOBs
- Calendar popup and time beginning by 0
This update fixes the security vulnerabilities reported in PMASA-2005-8
and PMASA-2005-9.
version 2.6.4pl3:
- css/phpmyadmin.css.php: Do not use common header file, as there is
nothing common at all.
- libraries/header_http.inc.php: Always send text/html content type.
- libraries/db_table_exists.lib.php, libraries/header_http.inc.php,
transformation_wrapper.php: Use define rather than variable for
conditional paths.
This fixes the security vulnerability reported in PMASA-2005-6.
