"Welcome to these two security releases."
This is security fix, please bump without huge delay;)
This appears to be due to http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php.
There is another security release this one a little bit more serious:
SQL query could be executed under another user.
It was possible to create a bookmark which would be executed unintentionally by other users.
We consider this vulnerability to be critical.
To use this vulnerability, phpMyAdmin configuration storage needs to be set up and enabled and bookmarks function needs to be enabled.
The 2.11.x and 3.3.x versions are affected.
Upgrade to phpMyAdmin 188.8.131.52 or newer (184.108.40.206 or newer for the older family) or apply the related patch listed below.
This issue was found by Michal Čihař.
Assigned CVE ids: CVE-2011-0987
CWE ids: CWE-661 CWE-89
I would recommend to skip 220.127.116.11 and go direct to 18.104.22.168
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Works perfect on my VPS. amd64 done. Thanks Agostino
x86 stable. Thanks
Stable for HPPA.
ppc/ppc64 stable, last arch done
Thanks, everyone. GLSA request filed.
The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin
2.11.x before 22.214.171.124, and 3.3.x before 126.96.36.199, does not properly
restrict bookmark queries, which makes it easier for remote authenticated
users to trigger another user's execution of a SQL query by creating a
phpMyAdmin 2.11.x before 188.8.131.52, and 3.3.x before 184.108.40.206, does not
properly handle the absence of the (1) README, (2) ChangeLog, and (3)
LICENSE files, which allows remote attackers to obtain the installation path
via a direct request for a nonexistent file.
This issue was resolved and addressed in
GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).