from release note: This is patch level 2 of phpMyAdmin 2.6.0, containing a security fix and a few other fixes (see ChangeLog). Security fix: If PHP is not running in safe mode, a problem in the MIME-based transformation system (with an "external" transformation) allows to execute any command with the privileges of the web server's user. ______ http://secunia.com/advisories/12813/ Critical: Highly critical Impact: System access Where: From remote Solution Status: Vendor Patch Software: phpMyAdmin 2.x Description: A vulnerability has been reported in phpMyAdmin, which potentially can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a problem in the MIME-based transformation system with "external" transformations. This can be exploited to execute arbitrary commands. Successful exploitation requires that PHP's safe mode is disabled. Solution: Update to version 2.6.0-pl2. http://www.phpmyadmin.net/home_page/ Provided and/or discovered by: Reported by vendor. __________________ twp, please bump the ebuild
OK, 2.6.0-pl2 in CVS, 2.6.0 removed. Not heavily tested. I'll close the bug in a couple of days unless there are reported problems.
Tom: please don't close the bug, we've still security work to do on it. It's unclear if the vulnerability affects all phpmyadmin versions or just the 2.6.0 series. Could you look into it ? The stable keywords need is not the same in each case...
according to http://www.heise.de/security/news/meldung/52132 (german) all versions since 2.5 are affected, since the transformation system (http://www.phpmyadmin.net/documentation/#transformations) has been implemented there for the first time
OK, then we need to keyword it stable as in 2.5.7_p1. Arches, please test and mark dev-db/phpmyadmin-2.6.0_p2 stable
stable on ppc
Stable on hppa.
Stable on sparc
Stable on alpha.
GLSA drafted, blocked by amd64 missing keyword.
stable on amd64.
GLSA 200410-14
