From secunia security advisory at $URL:
Certain input passed to setup.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
NOTE: Successful exploitation requires that installation best-practices have not been followed and the config directory is left writable.
The vulnerability is reported in version 3.4.5. Other versions may also be affected.
Update to version 3.4.6 or apply patches.
This appears to be http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php which references CVE-2011-4064 instead of CVE-2011-3646 as listed in the secunia advisory. Instead I think CVE-2011-3646 is covered by http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php.
Let's make this bug for both issues, both are reportedly fixed in 3.4.6.
Arches, please test and mark stable:
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
By the way: There wasn't any decision on the discussion non-compiled packages and how to stabilize them, was there? This is a pure PHP package, and I've been just copying ebuilds for the last few releases. Since it has rather frequent updates, if any arch wants me to directly stabilize it at the next security bump, let me know.
looks perfect on a server, amd64 ok
Stable for HPPA.
+ 19 Oct 2011; Tony Vroon <firstname.lastname@example.org> phpmyadmin-3.4.6.ebuild:
+ Marked stable on AMD64 based on arch testing by Agostino "ago" Sarubbo & Ian
+ "idella4" Delaney in security bug #387413.
Thanks, folks. GLSA Vote: no.
Cross-site scripting (XSS) vulnerability in the setup interface in
phpMyAdmin 3.4.x before 3.4.6 allows remote attackers to inject arbitrary
web script or HTML via a crafted value.
phpmyadmin.css.php in phpMyAdmin 3.4.x before 3.4.6 allows remote attackers
to obtain sensitive information via an array-typed js_frame parameter to
phpmyadmin.css.php, which reveals the installation path in an error message.
This issue was resolved and addressed in
GLSA 201201-01 at http://security.gentoo.org/glsa/glsa-201201-01.xml
by GLSA coordinator Tim Sammut (underling).