XSS on table creation page XSS on the cookie-based login panel
web-apps team, please provide an fixed ebuild, thanks.
I committed 2.6.4_rc1 last night
Arches, please test and mark stable
stable on x86
sparc stable.
Stable on ppc and hppa.
Stable on amd64.
this was odd, the post-install instructions issued after the upgrade had the old version listed, not the new one... (see below) I ran "# mysql -u root -p < /usr/share/webapps/phpmyadmin/2.6.4_rc1/sqlscripts/mysql/2.6.4_rc1_create.sql" manually but the less observant might miss it. # webapp-config -U -h localhost -d phpmyadmin phpmyadmin 2.6.4_rc1 * Upgrading phpmyadmin-2.6.2-r2 to phpmyadmin-2.6.4_rc1 * Installed by root on 2005-05-07 14:36:09 * Config files owned by root:root * Creating required directories * Linking in required files * This can take several minutes for larger apps --- cfgpro file config.inc.php ^o^ hiding ./._cfg0000_config.inc.php * Files and directories installed * One or more files have been config protected * To complete your install, you need to run this command: * * CONFIG_PROTECT="/var/www/localhost/htdocs/phpmyadmin" etc-update * Install completed - success * Removing old version phpmyadmin-2.6.2-r2 --- cfgpro file config.inc.php <snipped> * Remove whatever is listed above by hand ================================================================= POST-INSTALL INSTRUCTIONS ================================================================= To complete installation, you must 1. Update MySQL's grant tables and the pmadb database: mysql -u root -p < /usr/share/webapps/phpmyadmin/2.6.2-r2/sqlscripts/mysql/2.6.2-r2_create.sql If <snip>
See bug #98142
2.6.4_rc1 stable on alpha. Sorry about the delay :)
This one is ready for GLSA vote, I tend to vote NO.
i'd say no, too
I agree it's lame (XSS on a typically Intranet/admin tool), but we did GLSAs for this in the past (see GLSA 200504-08), so I'll play the devil's advocate and vote YES :) [that said, the phpmyadmin folks didn't even issue an advisory about this one]
I don't know if I count as anything here, but as part of web-apps, and one of the upstream authors, I'd like to vote no.
Voting full NO and Closing. Feel free to reopen if you disagree.