From secunia security advisory at $URL: Certain input passed to setup.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. NOTE: Successful exploitation requires that installation best-practices have not been followed and the config directory is left writable. The vulnerability is reported in version 3.4.5. Other versions may also be affected. Solution: Update to version 3.4.6 or apply patches.
This appears to be http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php which references CVE-2011-4064 instead of CVE-2011-3646 as listed in the secunia advisory. Instead I think CVE-2011-3646 is covered by http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php. Let's make this bug for both issues, both are reportedly fixed in 3.4.6. CVE-2011-3646 http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php CVE-2011-4064 http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
Arches, please test and mark stable: =dev-db/phpmyadmin-3.4.6 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86" By the way: There wasn't any decision on the discussion non-compiled packages and how to stabilize them, was there? This is a pure PHP package, and I've been just copying ebuilds for the last few releases. Since it has rather frequent updates, if any arch wants me to directly stabilize it at the next security bump, let me know.
looks perfect on a server, amd64 ok
amd64; ok
Stable for HPPA.
+ 19 Oct 2011; Tony Vroon <chainsaw@gentoo.org> phpmyadmin-3.4.6.ebuild: + Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian + "idella4" Delaney in security bug #387413.
x86 stable
ppc/ppc64 stable
alpha/sparc stable
Thanks, folks. GLSA Vote: no.
CVE-2011-4064 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4064): Cross-site scripting (XSS) vulnerability in the setup interface in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary web script or HTML via a crafted value.
CVE-2011-3646 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3646): phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to obtain sensitive information via an array-typed js_frame parameter to phpmyadmin.css.php, which reveals the installation path in an error message.
This issue was resolved and addressed in GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml by GLSA coordinator Tim Sammut (underling).