Bug 540891
Summary: | blowfish secret for cookie authentication is not hashed / fails if size too long | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora EPEL | Reporter: | Till Maas <opensource> | ||||
Component: | phpMyAdmin | Assignee: | Robert Scheck <redhat-bugzilla> | ||||
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | low | ||||||
Version: | el5 | CC: | mmcgrath, opensource, redhat-bugzilla | ||||
Target Milestone: | --- | Keywords: | Reopened | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | https://sourceforge.net/tracker/?func=detail&aid=2905629&group_id=23067&atid=377408 | ||||||
Whiteboard: | |||||||
Fixed In Version: | 2.11.9.6-3.el4 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-12-27 20:34:08 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Till Maas
2009-11-24 13:19:48 UTC
CentOS Extras is an unsupported repository. Use the packages from Fedora EPEL, please. Next point is, that phpMyAdmin 2.11.9.6 is in maintainance-only mode by upstream, that means, the 2.11.9.x branch will only get security updates, no bugfixes anymore. We can't update to phpMyAdmin 3.x, because a newer version of phpMyAdmin would require php >= 5.2, which neither RHEL 4 nor RHEL 5 is able to satisfy (PHP 4.3.x, PHP 5.1.x). Do you see the same issue in Fedora 11, 12 or Rawhide? If yes, we can try to fix it then upstream and maybe backport Fedora-only. And if the issue doesn't exist in Fedora any longer, we maybe can backport the fix already. I looked at the source of phpMyAdmin 3.2.3 and $GLOBALS['cfg']['blowfish_secret'] is still used without any modification like hashing or truncation, therefore I expect the issue to be present in Rawhide, too. I've opened upstream bug ID #2905629. Upstream has rejected your request:
> In Documentation.html:
> $cfg['blowfish_secret'] string
> The "cookie" auth_type uses blowfish algorithm to encrypt the password.
> The maximum number of characters for this parameter seems to be 46.
If you don't agree with upstream, please participate in the upstream bug.
Created attachment 375944 [details]
phpMyAdmin-2.11.9.6-blowfish.patch
Till, can you please test, whether my backport try works for you as expected? phpMyAdmin-3.2.4-1.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc10 phpMyAdmin-3.2.4-1.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/phpMyAdmin-3.2.4-1.fc12 phpMyAdmin-3.2.4-1.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2009-12711 phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F11/FEDORA-2009-12724 phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update phpMyAdmin'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12727 Till, ping? Can you please test the patch from comment #5? phpMyAdmin-3.2.4-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. Till, can you please test, whether my backport try works for you as expected? phpMyAdmin-3.2.4-1.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report. (In reply to comment #14) > Till, can you please test, whether my backport try works for you as expected? Sorry for the delay, I did not have access to the system I experienced the problem with phpMyAdmin. I just got a virtual machine running and the patch fixes the problem on CentOS 5.4. phpMyAdmin-2.11.9.6-2.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el4 phpMyAdmin-2.11.9.6-2.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/phpMyAdmin-2.11.9.6-2.el5 phpMyAdmin-2.11.9.6-3.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. phpMyAdmin-2.11.9.6-3.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. |