UbuntuUpdates.org

Package "phpmyadmin"

Name: phpmyadmin

Description:

MySQL web administration tool
Latest version: 4:4.6.6-5ubuntu0.5
Release: bionic (18.04)
Level: security
Repository: universe
Homepage: https://www.phpmyadmin.net/

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "phpmyadmin"

All arch deb package
APT INSTALL

Other versions of "phpmyadmin" in Bionic

Repository Area Version
base universe 4:4.6.6-5
updates universe 4:4.6.6-5ubuntu0.5
PPA: phpMyAdmin 4:5.1.1+dfsg1-3+bionic1

Changelog

Version: 4:4.6.6-5ubuntu0.5 2020-11-19 15:07:01 UTC

  phpmyadmin (4:4.6.6-5ubuntu0.5) bionic-security; urgency=medium

  * SECURITY UPDATE: Cross-site scripting (XSS)
    - debian/patches/CVE-2020-26934.patch: make sure where_clause is not
      modified
    - debian/patches/fix-tests-for-CVE-2020-26934-and-CVE-2020-26935.patch:
      Fix failing tests
    - debian/patches/CVE-2018-7260.patch: Fix XSS vulnerability in central
      columns feature
    - debian/patches/CVE-2018-19970.patch: Fix stored Cross-Site Scripting
      (XSS) in navigation tree.
    - CVE-2020-26934
    - CVE-2018-7260
    - CVE-2018-19970
  * SECURITY UPDATE: Cross-site request forgery (CSRF)
    - debian/patches/CVE-2019-12616.patch: Retrieve parameters from $_POST
      in AuthenticationCookie.
    - debian/patches/fix-tests-for-CVE-2019-12616.patch: Fix tests for
      CVE-2019-12616
  * SECURITY UPDATE: SQL Injection
    - debian/patches/CVE-2020-26935.patch: Check where clause signature in
      TableSearchController
    - debian/patches/CVE-2019-6798.patch: SQL injection in Designer
    - debian/patches/CVE-2019-11768.patch: Fix escape database name when
      saving page on designer.
    - debian/patches/CVE-2020-5504.patch: escape username in the query
    - debian/patches/CVE-2020-10804: escape username, password, and hostname
    - debian/patches/CVE-2020-10802: Use Util::backquote in getDataRowAction
    - debian/patches/CVE-2020-10803: Add where_clause check in
      tbl_get_field.php
    - debian/patches/fix-tests-for-CVE-2020-10803.patch: Fix
      Display/ResultsTest errors
    - CVE-2020-26935
    - CVE-2019-6798
    - CVE-2019-11768
    - CVE-2020-5504
    - CVE-2020-10804
    - CVE-2020-10802
    - CVE-2020-10803
  * SECURITY UPDATE: Sensitive information exposure
    - debian/patches/CVE-2018-19968.patch: Remove transform plugin includes
    - debian/patches/CVE-2019-6799.patch: Prevent arbitrary file read by
      the webserver
    - CVE-2018-19968
    - CVE-2019-6799
  * FTBFS: PHPUnit namespace discrepancy
    - debian/patches/fix-tests-bionic.patch: The version of PHPUnit packaged
      with bionic is not compatible with these unit tests. Some minor namespace
      tweaks were needed in order to get the test suite to run. One test case
      provided by rulesProvider for testAddRules() was disabled.

 -- Mike Salvatore <email address hidden> Tue, 17 Nov 2020 19:16:01 -0500
CVE-2020-26934 phpMyAdmin before 4.9.6 and 5.x before 5.0.3 allows XSS through the transformation feature via a crafted link.
CVE-2020-26935 An issue was discovered in SearchController in phpMyAdmin before 4.9.6 and 5.x before 5.0.3. A SQL injection vulnerability was discovered in how phpM
CVE-2018-7260 Cross-site scripting (XSS) vulnerability in db_central_columns.php in phpMyAdmin before 4.7.8 allows remote authenticated users to inject arbitrary w
CVE-2018-19970 In phpMyAdmin before 4.8.4, an XSS vulnerability was found in the navigation tree, where an attacker can deliver a payload to a user through a crafte
CVE-2019-12616 An issue was discovered in phpMyAdmin before 4.9.0. A vulnerability was found that allows an attacker to trigger a CSRF attack against a phpMyAdmin u
CVE-2019-6798 An issue was discovered in phpMyAdmin before 4.8.5. A vulnerability was reported where a specially crafted username can be used to trigger a SQL inje
CVE-2019-11768 An issue was discovered in phpMyAdmin before 4.9.0.1. A vulnerability was reported where a specially crafted database name can be used to trigger an
CVE-2020-5504 In phpMyAdmin 4 before 4.9.4 and 5 before 5.0.1, SQL injection exists in the user accounts page. A malicious user could inject custom SQL in place of
CVE-2020-10804 In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was found in retrieval of the current username (in libraries/class
CVE-2020-10802 In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability has been discovered where certain parameters are not properly esca
CVE-2020-10803 In phpMyAdmin 4.x before 4.9.5 and 5.x before 5.0.2, a SQL injection vulnerability was discovered where malicious code could be used to trigger an XS
CVE-2018-19968 An attacker can exploit phpMyAdmin before 4.8.4 to leak the contents of a local file because of an error in the transformation feature. The attacker
CVE-2019-6799 An issue was discovered in phpMyAdmin before 4.8.5. When the AllowArbitraryServer configuration setting is set to true, with the use of a rogue MySQL


About   -   Send Feedback to @ubuntu_updates