Multiple flaws were reported in versions of phpMyAdmin prior to 3.4.6. The first is a path disclosure due to insufficient URL parameter validation [1] (PMASA-2011015, CVE-2011-3646). The second is an XSS flaw in setup.php where crafted values entered in the setup interface can produce an XSS; if the configuration directory exists and is writable (non-default, not recommended), the XSS payload can be saved to the directory [2] (PMASA-2011-16, CVE-2011-4064). Current Fedora and EPEL5 and 6 contain phpMyAdmin 3.4.5 which is vulnerable to these flaws. [1] http://www.phpmyadmin.net/home_page/security/PMASA-2011-15.php [2] http://www.phpmyadmin.net/home_page/security/PMASA-2011-16.php
Created phpMyAdmin tracking bugs for this issue Affects: fedora-all [bug 746882] Affects: epel-6 [bug 746884]
Created phpMyAdmin3 tracking bugs for this issue Affects: epel-5 [bug 746883]
phpMyAdmin3-3.4.7-1.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.4.7-1.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.4.7-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.4.7-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.4.7-1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.