Hello community, here is the log from the commit of package phpMyAdmin for openSUSE:Factory checked in at 2016-11-28 15:09:37 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/phpMyAdmin (Old) and /work/SRC/openSUSE:Factory/.phpMyAdmin.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "phpMyAdmin" Changes: -------- --- /work/SRC/openSUSE:Factory/phpMyAdmin/phpMyAdmin.changes 2016-11-18 22:01:54.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.phpMyAdmin.new/phpMyAdmin.changes 2016-11-28 15:09:38.000000000 +0100 @@ -1,0 +2,141 @@ +Sat Nov 26 15:32:19 UTC 2016 - ecsos@opensuse.org + +- update to 4.6.5.1 (2016-11-26) + - quick fix for 4.6.5 + * an issue affecting a small number of users using + $cfg['Servers'][$i]['hide_db'] or $cfg['Servers'][$i]['only_db']. + * an issue affecting the create table dialog where the partition + selection tool was overzealous and made it difficult to create + a new table. + +- update to 4.6.5 (2016-11-25) + - security fixes + * Fix for expanding in navigation pane + * Reintroduced a simplified version of PmaAbsoluteUri directive + (needed with reverse proxies) + * Fix editing of ENUM/SET/DECIMAL field structures + * Improvements to the parser + - other fixes + * Remove potentionally license problematic sRGB profile + * gh#12459 Display read only fields as read only when editing + * gh#12384 Fix expanding of navigation pane when clicking on database + * gh#12430 Impove partitioning support + * gh#12374 Reintroduced simplified PmaAbsoluteUri configuration directive + * Always use UTC time in HTTP headers + * gh#12479 Simplified validation of external links + * gh#12483 Fix browsing tables with built in transformations + * gh#12485 Do not show warning about short blowfish_secret if none is set + * gh#12251 Fixed random logouts due to wrong cookie path + * gh#12480 Fixed editing of ENUM/SET/DECIMAL fields structure + * gh#12497 Missing escaping of configuration used in SQL (hide_db and only_db) + * gh#12476 Add error checking in reading advisory rules file + * gh#12477 Add checking missing elements and confirming element types from json_decode + * gh#12251 Automatically save SQL query in browser local storage rather than in cookie + * gh#12292 Unable to edit transformations + * gh#12502 Remove unused paramenter when connecting to MySQLi + * gh#12303 Fix number formatting with different settings of precision in PHP + * gh#12405 Use single quotes in PHP code + * gh#12534 Option for the dropped column is not removed from 'after_field' select, after the column is dropped + * gh#12531 Properly detect DROP DATABASE queries + * gh#12470 Fix possible race condition in setting URL hash + * gh#11924 Remove caching of server information + * gh#11628 Proper parsing of INSERT ... ON DUPLICATE KEY queries + * gh#12545 Proper parsing of CREATE TABLE ... PARTITION queries + * gh#12473 Code can throw unhandled exception + * gh#12550 Do not try to keep alive session even after expiry + * gh#12512 Fixed rendering BBCode links in setup + * gh#12518 Fixed copy of table with generated columns + * gh#12221 Fixed export of table with generated columns + * gh#12320 Copying a user does not copy usergroup + * gh#12272 Adding a new row with default enum goes to no selection when you want to add more then 2 rows + * gh#12487 Drag and drop import prevents file dropping to blob column file selector on the insert tab + * gh#12554 Absence of scrolling makes it impossible to read longer text values in grid editing + * gh#12530 "Edit routine" crashes when the current user is not the definer, even if privileges are adequate + * gh#12300 Export selective tables by-default dumps Events also + * gh#12298 Fixed export of view definitions + * gh#12242 Edit routine detail dialog does not fill "Return length" field in mysql functions + * gh#12575 New index Confirm adds whitespace around the field name + * gh#12382 Bug in zoom search + * gh#12321 Assign LIMIT clause only to syntactically correct queries + * gh#12461 Can't Execute SQL With Sub-Query Due To "LIMIT 0,25" Inserted At Wrong Place + * gh#12511 Clarify documentation on ArbitraryServerRegexp + * gh#12508 Remove duplicate code in SQL escaping + * gh#12475 Cleanup code for getting table information + * gh#12579 phpMyAdmin's export of a Select statment without a FROM clause generates Wrong SQL + * gh#12316 Correct export of complex SELECT statements + * gh#12080 Fixed parsing of subselect queries + * gh#11740 Fixed handling DELETE ... USING queries + * gh#12100 Fixed handling of CASE operator + * gh#12455 Query history stores separate entry for every letter typed + * gh#12327 Create PHP code no longer works + * gh#12179 Fixed bookmarking of query with multiple statements + * gh#12419 Wrong description on GRANT OPTION + * gh#12615 Fixed regexp for matching browser versions + * gh#12569 Avoid showing import errors twice + * gh#12362 prefs_manage.php can leave an orphaned temporary file + * gh#12619 Unable to export csv when using union select + * gh#12625 Broken Edit links in query results of JOIN query + * gh#12634 Drop DB error in import if DB doesn't exist + * gh#12338 Designer reverts to first saved ER after EACH relation create or delete + * gh#12639 'Show trace' in Console generates JS error for functions in query's trace called without any arguments + * gh#12366 Fix user creation with certain MariaDB setups + * gh#12616 Refuse to work with mbstring.func_overload enabled + * gh#12472 Properly report connection without password in setup + * gh#12365 Fix records count for large tables + * gh#12533 Fix records count for complex queries + * gh#12454 Query history not updated in console until page refresh + * gh#12344 Fixed parsing of labels in loop + * gh#12228 Fixed parsing of BEGIN labels + * gh#12637 Fixed editing some timestamp values + * gh#12622 Fixed javascript error in designer + * gh#12334 Missing page indicator or VIEWs + * gh#12610 Export of tables with Timestamp/Datetime/Time columns defined with ON UPDATE clause with precision fails + * gh#12661 Error inserting into pma__history after timeout + * gh#12195 Row_format = fixed not visible + * gh#12665 Cannot add a foreign key - non-indexed fields not listed in InnoDB tables + * gh#12674 Allow for proper MySQL-allowed strings as identifiers + * gh#12651 Allow for partial dates on table insert page + * gh#12681 Fixed designer with tables using special chars + * gh#12652 Fixed visual query builder for foreign keys with more fields + * gh#12257 Improved search page performance + * gh#12322 Avoid selecting default function for foreign keys + * gh#12453 Fixed escaping of SQL parts in some corner cases + * gh#12542 Missing table name in account privileges editor + * gh#12691 Remove ksort call on empty array in PMA_getPlugins function + * gh#12443 Check parameter type before processing + * gh#12299 Avoid generating too long URLs in search + * gh#12361 Fix self SQL injection in table-specific privileges + * gh#12698 Add link to release notes and download on new version notification + * gh#12712 Error when trying to setup replication (fatal error in call to an old PMA_DBI_connect function) +- fix for boo#1012271 + https://www.phpmyadmin.net/security/ + * Unsafe generation of $cfg['blowfish_secret'] + see PMASA-2016-58 (CVE ids: Not yet assigned , CWE-661) + * phpMyAdmin's phpinfo functionality is removed + see PMASA-2016-59 (CVE ids: Not yet assigned , CWE-661) + * AllowRoot and allow/deny rule bypass with specially-crafted username + see PMASA-2016-60 (CVE ids: Not yet assigned , CWE-661) + * Username matching weaknesses with allow/deny rules + see PMASA-2016-61 (CVE ids: Not yet assigned , CWE-661) + * Possible to bypass logout timeout + see PMASA-2016-62 (CVE ids: Not yet assigned , CWE-661) + * Full path disclosure (FPD) weaknesses + see PMASA-2016-63 (CVE ids: Not yet assigned , CWE-661) + * Multiple XSS weaknesses + see PMASA-2016-64 (CVE ids: Not yet assigned , CWE-661, CWE-352) + * Multiple denial-of-service (DOS) vulnerabilities + see PMASA-2016-65 (CVE ids: Not yet assigned , CWE-661, CW-400) + * Possible to bypass white-list protection for URL redirection + see PMASA-2016-66 (CVE ids: Not yet assigned , CWE-661, CWE-20, CWE-601) + * BBCode injection to login page + see PMASA-2016-67 (CVE ids: Not yet assigned , CWE-661) + * Denial-of-service (DOS) vulnerability in table partitioning + see PMASA-2016-68 (CVE ids: Not yet assigned , CWE-661, CWE-400) + * Multiple SQL injection vulnerabilities + see PMASA-2016-69 (CVE ids: Not yet assigned , CWE-661, CWE-89) + * Incorrect serialized string parsing + see PMASA-2016-70 (CVE ids: Not yet assigned , CWE-661) + * CSRF token not stripped from the URL + see PMASA-2016-71 (CVE ids: Not yet assigned , CWE-661) + +------------------------------------------------------------------- Old: ---- phpMyAdmin-4.6.4-all-languages.tar.xz phpMyAdmin-4.6.4-all-languages.tar.xz.asc New: ---- phpMyAdmin-4.6.5.1-all-languages.tar.xz phpMyAdmin-4.6.5.1-all-languages.tar.xz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ phpMyAdmin.spec ++++++ --- /var/tmp/diff_new_pack.bIBt9e/_old 2016-11-28 15:09:40.000000000 +0100 +++ /var/tmp/diff_new_pack.bIBt9e/_new 2016-11-28 15:09:40.000000000 +0100 @@ -29,7 +29,7 @@ %define ap_grp nogroup %endif Name: phpMyAdmin -Version: 4.6.4 +Version: 4.6.5.1 Release: 0 Summary: Administration of MySQL over the web License: GPL-2.0+ ++++++ phpMyAdmin-4.6.4-all-languages.tar.xz -> phpMyAdmin-4.6.5.1-all-languages.tar.xz ++++++ ++++ 19780 lines of diff (skipped)