Hello community,
here is the log from the commit of package phpMyAdmin
checked in at Sun Mar 30 12:03:20 CEST 2008.
--------
--- phpMyAdmin/phpMyAdmin.changes 2008-03-10 06:07:10.000000000 +0100
+++ /mounts/work_src_done/NOARCH/phpMyAdmin/phpMyAdmin.changes 2008-03-29 16:05:23.000000000 +0100
@@ -1,0 +2,6 @@
+Sat Mar 29 16:04:38 CET 2008 - crrodriguez@suse.de
+
+- update to version 2.11.5.1
+ * bug #1909711 [security] Sensitive data in session files
+
+-------------------------------------------------------------------
Old:
----
phpMyAdmin-2.11.5-all-languages-utf-8-only.tar.bz2
New:
----
phpMyAdmin-2.11.5.1-all-languages-utf-8-only.tar.bz2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ phpMyAdmin.spec ++++++
--- /var/tmp/diff_new_pack.Pn1732/_old 2008-03-30 12:02:32.000000000 +0200
+++ /var/tmp/diff_new_pack.Pn1732/_new 2008-03-30 12:02:32.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package phpMyAdmin (Version 2.11.5)
+# spec file for package phpMyAdmin (Version 2.11.5.1)
#
# Copyright (c) 2008 SUSE LINUX Products GmbH, Nuernberg, Germany.
# This file and all modifications and additions to the pristine
@@ -17,8 +17,8 @@
Group: Productivity/Networking/Web/Frontends
Requires: mod_php_any php-mysql php-bz2 php-gd php-zlib php-iconv php-mcrypt php-session php5-mbstring
AutoReqProv: on
-Version: 2.11.5
-Release: 3
+Version: 2.11.5.1
+Release: 1
Source0: %{name}-%{version}-all-languages-utf-8-only.tar.bz2
Source1: phpmyadmin.conf
Patch1: %{name}-2.11.0rc1-blowfish_secret.patch
@@ -116,6 +116,9 @@
%ghost %{serverroot}%{name}/config.inc.php
%changelog
+* Sat Mar 29 2008 crrodriguez@suse.de
+- update to version 2.11.5.1
+ * bug #1909711 [security] Sensitive data in session files
* Mon Mar 10 2008 crrodriguez@suse.de
- phpMyAdmin tries to access non-existing print.css [#307966]
* Sat Mar 01 2008 crrodriguez@suse.de
++++++ phpMyAdmin-2.11.5-all-languages-utf-8-only.tar.bz2 -> phpMyAdmin-2.11.5.1-all-languages-utf-8-only.tar.bz2 ++++++
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/ChangeLog new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/ChangeLog
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/ChangeLog 2008-03-01 12:58:56.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/ChangeLog 2008-03-29 14:28:55.000000000 +0100
@@ -2,9 +2,12 @@
phpMyAdmin - ChangeLog
----------------------
-$Id: ChangeLog 11151 2008-03-01 11:59:07Z lem9 $
+$Id: ChangeLog 11175 2008-03-29 06:06:35Z lem9 $
$HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/C... $
+2.11.5.1 (2008-03-29)
+- bug #1909711 [security] Sensitive data in session files
+
2.11.5.0 (2008-03-01)
- bug #1862661 [GUI] Warn about rename deleting database
- bug #1866041 [interface] Incorrect sorting with AS
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/Documentation.html new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/Documentation.html
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/Documentation.html 2008-03-01 12:58:56.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/Documentation.html 2008-03-29 14:28:55.000000000 +0100
@@ -2,7 +2,7 @@
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
version="-//W3C//DTD XHTML 1.1//EN" dir="ltr">
-<!-- $Id: Documentation.html 11151 2008-03-01 11:59:07Z lem9 $ -->
+<!-- $Id: Documentation.html 11177 2008-03-29 13:26:51Z lem9 $ -->
<!--
vim: expandtab ts=4 sw=4 sts=4 tw=78
-->
@@ -11,7 +11,7 @@
<link rel="icon" href="./favicon.ico" type="image/x-icon" />
<link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
- <title>phpMyAdmin 2.11.5 - Documentation</title>
+ <title>phpMyAdmin 2.11.5.1 - Documentation</title>
<link rel="stylesheet" type="text/css" href="docs.css" />
</head>
@@ -33,7 +33,7 @@
<li><a href="#glossary">Glossary</a></li>
</ul>
-<h1>phpMyAdmin 2.11.5 Documentation</h1>
+<h1>phpMyAdmin 2.11.5.1 Documentation</h1>
<ul><li><a href="http://www.phpmyadmin.net/">
phpMyAdmin homepage</a></li>
@@ -48,7 +48,7 @@
</ul>
</li>
<li>Documentation version:
- <i>$Id: Documentation.html 11151 2008-03-01 11:59:07Z lem9 $</i>
+ <i>$Id: Documentation.html 11177 2008-03-29 13:26:51Z lem9 $</i>
</li>
</ul>
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/Documentation.txt new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/Documentation.txt
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/Documentation.txt 2008-03-01 12:58:57.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/Documentation.txt 2008-03-29 14:28:55.000000000 +0100
@@ -11,7 +11,7 @@
* Translators
* Glossary
-phpMyAdmin 2.11.5 Documentation
+phpMyAdmin 2.11.5.1 Documentation
* phpMyAdmin homepage
* SourceForge phpMyAdmin project page
@@ -20,7 +20,7 @@
+ Version history: ChangeLog
+ General notes: README
+ License: LICENSE
- * Documentation version: $Id: Documentation.html 11151 2008-03-01 11:59:07Z
+ * Documentation version: $Id: Documentation.html 11177 2008-03-29 13:26:51Z
lem9 $
Requirements
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/libraries/common.inc.php new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/libraries/common.inc.php
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/libraries/common.inc.php 2008-03-01 12:58:57.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/libraries/common.inc.php 2008-03-29 14:28:55.000000000 +0100
@@ -22,7 +22,7 @@
* - db connection
* - authentication work
*
- * @version $Id: common.inc.php 11135 2008-02-23 21:16:42Z lem9 $
+ * @version $Id: common.inc.php 11175 2008-03-29 06:06:35Z lem9 $
*/
/**
@@ -463,26 +463,20 @@
/******************************************************************************/
/* parsing configuration file LABEL_parsing_config_file */
-if (empty($_SESSION['PMA_Config'])) {
- /**
- * We really need this one!
- */
- if (! function_exists('preg_replace')) {
- PMA_fatalError('strCantLoad', 'pcre');
- }
-
- /**
- * @global PMA_Config $_SESSION['PMA_Config']
- */
- $_SESSION['PMA_Config'] = new PMA_Config('./config.inc.php');
-
-} elseif (version_compare(phpversion(), '5', 'lt')) {
- /**
- * @todo move all __wakeup() functionality into session.inc.php
- */
- $_SESSION['PMA_Config']->__wakeup();
+/**
+ * We really need this one!
+ */
+if (! function_exists('preg_replace')) {
+ PMA_fatalError('strCantLoad', 'pcre');
}
+/**
+ * @global PMA_Config $_SESSION['PMA_Config']
+ * force reading of config file, because we removed sensitive values
+ * in the previous iteration
+ */
+$_SESSION['PMA_Config'] = new PMA_Config('./config.inc.php');
+
if (!defined('PMA_MINIMUM_COMMON')) {
$_SESSION['PMA_Config']->checkPmaAbsoluteUri();
}
@@ -901,6 +895,11 @@
} // end if !defined('PMA_MINIMUM_COMMON')
+// remove sensitive values from session
+$_SESSION['PMA_Config']->set('blowfish_secret', '');
+$_SESSION['PMA_Config']->set('Servers', '');
+$_SESSION['PMA_Config']->set('default_server', '');
+
if (!empty($__redirect) && in_array($__redirect, $goto_whitelist)) {
/**
* include subform target page
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/libraries/Config.class.php new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/libraries/Config.class.php
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/libraries/Config.class.php 2008-03-01 12:58:57.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/libraries/Config.class.php 2008-03-29 14:28:55.000000000 +0100
@@ -3,7 +3,7 @@
/**
*
*
- * @version $Id: Config.class.php 11151 2008-03-01 11:59:07Z lem9 $
+ * @version $Id: Config.class.php 11177 2008-03-29 13:26:51Z lem9 $
*/
/**
@@ -85,7 +85,7 @@
*/
function checkSystem()
{
- $this->set('PMA_VERSION', '2.11.5');
+ $this->set('PMA_VERSION', '2.11.5.1');
/**
* @deprecated
*/
@@ -886,8 +886,9 @@
*/
function enableBc()
{
- $GLOBALS['cfg'] =& $this->settings;
- $GLOBALS['default_server'] =& $this->default_server;
+ $GLOBALS['cfg'] = $this->settings;
+ $GLOBALS['default_server'] = $this->default_server;
+ unset($this->default_server);
$GLOBALS['collation_connection'] = $this->get('collation_connection');
$GLOBALS['is_upload'] = $this->get('enable_upload');
$GLOBALS['max_upload_size'] = $this->get('max_upload_size');
diff -urN --exclude=CVS --exclude=.cvsignore --exclude=.svn --exclude=.svnignore old/phpMyAdmin-2.11.5-all-languages-utf-8-only/README new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/README
--- old/phpMyAdmin-2.11.5-all-languages-utf-8-only/README 2008-03-01 12:58:56.000000000 +0100
+++ new/phpMyAdmin-2.11.5.1-all-languages-utf-8-only/README 2008-03-29 14:28:55.000000000 +0100
@@ -1,12 +1,12 @@
-$Id: README 11151 2008-03-01 11:59:07Z lem9 $
+$Id: README 11177 2008-03-29 13:26:51Z lem9 $
phpMyAdmin - Readme
===================
A set of PHP-scripts to manage MySQL over the web.
- Version 2.11.5
- --------------
+ Version 2.11.5.1
+ ----------------
http://www.phpmyadmin.net/
Copyright (C) 1998-2000 Tobias Ratschiller
participants (1)
-
root@Hilbert.suse.de