Upstream phpmyadmin has two new XSS vulnerabilities. These are patched in version 3.5.8.1. Reproducible: Didn't try Welcome to phpMyAdmin 3.5.8.1, a security release. 3.5.8.1 (2013-04-24) - [security] Remote code execution (preg_replace), reported by Janek Vind (see PMASA-2013-2) - [security] Locally Saved SQL Dump File Multiple File Extension Remote Code Execution, reported by Janek Vind (see PMASA-2013-3)
Commits for the branch: https://github.com/phpmyadmin/phpmyadmin/commits/RELEASE_3_5_8_1
CVE-2013-3239 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3239): phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3, when a SaveDir directory is configured, allows remote authenticated users to execute arbitrary code by using a double extension in the filename of an export file, leading to interpretation of this file as an executable file by the Apache HTTP Server, as demonstrated by a .php.sql filename. CVE-2013-3238 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-3238): phpMyAdmin 3.5.x before 3.5.8 and 4.x before 4.0.0-rc3 allows remote authenticated users to execute arbitrary code via a /e\x00 sequence, which is not properly handled before making a preg_replace function call within the "Replace table prefix" feature.
Bug 468516 is not a blocker: this can be fixed with 3.5.8.1.
GLSA vote: yes
GLSA with 479870, 478696, 465420
This issue was resolved and addressed in GLSA 201311-02 at http://security.gentoo.org/glsa/glsa-201311-02.xml by GLSA coordinator Sergey Popov (pinkbyte).