http://sourceforge.net/news/?group_id=23067&id=309525 phpMyAdmin 3.5.3 is released Welcome to phpMyAdmin 3.5.3, a bugfix release with minor security fixes (refer to the upcoming PMASA-2012-6 and PMASA-2012-7 for more details). phpMyAdmin no longer contains the Highcharts library (which caused a licensing problem).
"Welcome to phpMyAdmin 3.5.3, a bugfix release with minor security fixes. This release no longer contains the Highcharts library (which caused a licensing problem)."
Thank you for the report, Tomas. Upstream advisories: http://www.phpmyadmin.net/home_page/security/PMASA-2012-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2012-7.php
CVE-2012-5368 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5368): phpMyAdmin 3.5.x before 3.5.3 uses JavaScript code that is obtained through an HTTP session to phpmyadmin.net without SSL, which allows man-in-the-middle attackers to conduct cross-site scripting (XSS) attacks by modifying this code. CVE-2012-5339 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5339): Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 3.5.x before 3.5.3 allow remote authenticated users to inject arbitrary web script or HTML via a crafted name of (1) an event, (2) a procedure, or (3) a trigger.
*** Bug 440096 has been marked as a duplicate of this bug. ***
*** Bug 440772 has been marked as a duplicate of this bug. ***
Okay bumped to phpMyAdmin 3.5.3.
(In reply to comment #6) > Okay bumped to phpMyAdmin 3.5.3. Thanks. Is it ready for stabilization?
(In reply to comment #7) > (In reply to comment #6) > > Okay bumped to phpMyAdmin 3.5.3. > > Thanks. Is it ready for stabilization? I just added it to the tree and did a preliminary test to make sure I wasn't introducing anything obviously bad. However, it is not thuroughly tested. Maybe wait a week and do an early stabilization.
(In reply to comment #8) > (In reply to comment #7) > > (In reply to comment #6) > > > Okay bumped to phpMyAdmin 3.5.3. > > > > Thanks. Is it ready for stabilization? > > I just added it to the tree and did a preliminary test to make sure I wasn't > introducing anything obviously bad. However, it is not thuroughly tested. > Maybe wait a week and do an early stabilization. Ok, let's revisit this around Nov 19th.
Thanks for the bump, I'm putting it into testing.
It's good to go. Arches, please test and mark stable: =dev-db/phpmyadmin-3.5.3 Target KEYWORDS: "alpha amd64 hppa ppc ppc64 sparc x86"
Stable for HPPA.
amd64 stable
stable ppc ppc64
x86 done.
alpha/sparc stable
Thanks, everyone. Closing noglsa for XSS issues.