PMASA-2009-1 (version 3 only)
HTTP Response Splitting and file inclusion vulnerability
The BLOB streaming feature allowed attacker to include arbitrary files and inject HTTP headers using crafted URL parameters.
PMASA-2009-2 (version 2 and 3)
Cross-site scripting on export page using cookies
PMASA-2009-3 (version 2 and 3)
Insufficient output sanitizing when generating configuration file
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Directory traversal vulnerability in bs_disp_as_mime_type.php in the
BLOB streaming feature in phpMyAdmin before 220.127.116.11 allows remote
attackers to read arbitrary files via directory traversal sequences
in the file_path parameter ($filename variable).
CRLF injection vulnerability in bs_disp_as_mime_type.php in the BLOB
streaming feature in phpMyAdmin before 18.104.22.168 allows remote
attackers to inject arbitrary HTTP headers and conduct HTTP response
splitting attacks via the (1) c_type and possibly (2) file_type
Multiple cross-site scripting (XSS) vulnerabilities in the export
page (display_export.lib.php) in phpMyAdmin 2.11.x before 22.214.171.124
and 3.x before 126.96.36.199 allow remote attackers to inject arbitrary web
script or HTML via the pma_db_filename_template cookie.
Static code injection vulnerability in setup.php in phpMyAdmin 2.11.x
before 188.8.131.52 and 3.x before 184.108.40.206 allows remote attackers to
inject arbitrary PHP code into a configuration file via the save
Created attachment 186477 [details]
Updated phpmyadmin-220.127.116.11 ebuild
(In reply to comment #2)
> Created an attachment (id=186477) 
> Updated phpmyadmin-18.104.22.168 ebuild
We much appreciate your effort, but attaching an ebuild when there's no real change since the last version in the tree is confusing. Please just state "Bumping the old ebuild works" or attach a unified diff of the necessary changes.
web-apps, please bump.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
+*phpmyadmin-3.2.0 (19 Jun 2009)
+*phpmyadmin-22.214.171.124 (19 Jun 2009)
+ 19 Jun 2009; Alex Legler <firstname.lastname@example.org> +phpmyadmin-126.96.36.199.ebuild,
+ -phpmyadmin-3.1.2.ebuild, +phpmyadmin-3.2.0.ebuild:
+ Non-maintainer commit: Version bump, security bugs 263711 and 266438, bump
+ request 270877.
Stable for HPPA.
Fixing the rating. Arches, your karma will increase a lot if you stable this quickly. ;)
x86 stable, closing
GLSA time first.
Stable on alpha.
This bug has not finished [stable] stage when it entered [glsa]. sparc is missing.
sparc, please stable =dev-db/phpmyadmin-188.8.131.52