Red Hat Bugzilla – Bug 508879
CVE-2009-2284 phpMyAdmin: XSS: Insufficient output sanitizing in bookmarks (PMASA-2009-5)
Last modified: 2009-07-24 19:12:52 EDT
Description of problem:
Welcome to the first security release for phpMyAdmin 3.2.0. Details will
follow on http://phpmyadmin.net in the Security section (see PMASA-2009-5).
Version-Release number of selected component (if applicable):
For 3.x: versions before 22.214.171.124.
-> Affects all active Fedora branches.
Package: phpMyAdmin-126.96.36.199-1.fc12 Tag: dist-f12 Status: complete
Package: phpMyAdmin-188.8.131.52-1.fc11 Tag: dist-f11-updates-candidate Status: complete
Package: phpMyAdmin-184.108.40.206-1.fc10 Tag: dist-f10-updates-candidate Status: complete
Package: phpMyAdmin-220.127.116.11-1.fc9 Tag: dist-f9-updates-candidate Status: complete
Cross-site scripting (XSS) vulnerability in phpMyAdmin before 18.104.22.168
allows remote attackers to inject arbitrary web script or HTML via a
crafted SQL bookmark.
Robert, does this need fixing in EPEL (with 2.x phpMyAdmin)?
Ah, upstream advisory says "previous versions are not.". Change to sql.php is in the code not in 2.x, change in libraries/common.lib.php seems applicable, but given the upstream statement, probably not usable without the sql.php problem...
phpMyAdmin-22.214.171.124-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-126.96.36.199-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-188.8.131.52-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Thomas, isn't that done and can be closed?
If not fix is needed for 2.x in EPEL, sure, feel free to close this.
Closing, because according to upstream advisory:
For 2.11.x: versions are not affected.
For 3.x: All 3.x releases on which the "bookmarks" feature is active are affected.