phpmyadmin has several security bugs

Sadly, the devteam does not publish patches which makes it hard to solve the issues. The only publish updated packages which also fix bugs.

Opensuse decided to go with upstream when doing security updates:

> The phpMyAdmin package was upgraded to version 2.9.1.1.
>
> While we usually do not do version upgrades, fixing the occurring
> security problems of phpMyAdmin got too difficult so we decided to
> go with the current upstream version.

I asked pitti if we could put newer versions of PMA to stable releases if they fix security updates.

He said that this would be possible if the following points are the case

- New package has been tested ample on Dapper / Edgy
- New package does not ship with any significant UI changes
- Upgrade to the new package works flawlessly and does not destroy settings and / or functionality

So far, I will test if that is the case.

I'd appreciate if someone else from the duplicate bugs also wants to test this so that we can push security updates of PMA to dapper-security and edgy-security.

Please leave a reply if you want to.

I am going to attach the Edgy .deb and the Dapper .deb of the recent phpMyAdmin version.

Please, try to upgrade to them and report if there appear any issues to you (Upgrade to the new package works flawlessly and does not destroy settings and / or functionality; New package does not ship with any significant UI changes). Also include which package you tried (Edgy, Dapper).

For me, it installs fine on Dapper. But sadly, /etc/phpmyadmin/config.inc.php (in which I changed some values) has changed so that a dialogue opens that asks to overwrite.

I copied the config.inc.php from the current phpMyAdmin versions in Edgy and Dapper to debian/conf of the new packages.

Now, no message appears asking you if you want to replace config.inc.php.

The updated debs can be found here:

http://gamesplace.info/opensource/ubuntu/phpmyadmin/

Dapper: phpmyadmin_2.9.1.1-2ubuntu0.6.06_all.deb
Edgy: phpmyadmin_2.9.1.1-2ubuntu0.6.10_all.deb

:::::::

As always, it would be great if you could test these.
^
 |
 |

:::::

# dpkg -i phpmyadmin_2.9.1.1-2ubuntu0.6.06_all.deb
(Reading database ... 29669 files and directories currently installed.)
Preparing to replace phpmyadmin 4:2.8.0.3-1 (using phpmyadmin_2.9.1.1-2ubuntu0.6.06_all.deb) ...
Unpacking replacement phpmyadmin ...
Setting up phpmyadmin (2.9.1.1-2ubuntu0.6.06) ...
Replacing config file /etc/phpmyadmin/htaccess with new version

#

Tomorrow, I will release a new version which does not overwrite htaccess (the change there is for apache 2.2 compatibility, which is neither in dapper nor in edgy), so it won't destroy settings.

New Edgy deb, available at [1], needs some user testing (it would be great if you could try it). It is a new revision which solves the issue that a rewrite-dialogue appears.

[1] http://gamesplace.info/opensource/ubuntu/phpmyadmin/phpmyadmin_2.9.1.1-2ubuntu0.6.10_all.deb

New Dapper deb, available at [1], needs some user testing (it would be great if you could try it). It is a new revision which solves the issue that a rewrite-dialogue appears.

[1] http://gamesplace.info/opensource/ubuntu/phpmyadmin/phpmyadmin_2.9.1.1-2ubuntu0.6.06_all.deb

Tested the edgy deb, works fine for me.

Martin Jürgens, Thanks for your work.
Please attach your debdiff.

Thanks

That post is over 1 year old and I am not active in Ubuntu anymore. I also do not have any access on the debdiff. Sorry!!

Ubuntu Edgy Eft is no longer supported, so a SRU will not be issued for this release. Marking Edgy as Won't Fix.

Dapper is not supported anymore since July 2009, therefore I mark Dapper status to invalid.

Dapper server support is until June 2011, so it can be fixed.

Status:

Closed

Thank you for reporting this bug to Ubuntu. dapper has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against dapper is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.