CVE-2008-7251 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7251): libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 creates a temporary directory with 0777 permissions, which has unknown impact and attack vectors.
web-apps, please bump.
CVE-2008-7252 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-7252): libraries/File.class.php in phpMyAdmin 2.11.x before 2.11.10 uses predictable filenames for temporary files, which has unknown impact and attack vectors.
PMASA-2010-4 (http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php) Date: 2010-08-20 Insufficient output sanitizing when generating configuration file. The setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with the ability to save files on the server, this can allow unauthenticated users to execute arbitrary PHP code. We consider this vulnerability to be critical. Affected Versions For 2.11.x: versions before 2.11.10.1.
Arches, please test and mark stable: =dev-db/phpmyadmin-3.3.5.1 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
amd64 done
x86 stable
alpha/sparc stable
ppc, pcc64: This bug is superseded by bug 335490. Please continue stabilizing version 3.3.6 there.
CVE-2010-3055 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-3055): The configuration setup script (aka scripts/setup.php) in phpMyAdmin 2.11.x before 2.11.10.1 does not properly restrict key names in its output file, which allows remote attackers to execute arbitrary PHP code via a crafted POST request.
Affected ebuilds were removed from the tree.
This issue was resolved and addressed in GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml by GLSA coordinator Tim Sammut (underling).