Description of problem: Welcome to the first security release for phpMyAdmin 3.2.0. Details will follow on http://phpmyadmin.net in the Security section (see PMASA-2009-5). Version-Release number of selected component (if applicable): For 3.x: versions before 3.2.0.1. -> Affects all active Fedora branches.
Package: phpMyAdmin-3.2.0.1-1.fc12 Tag: dist-f12 Status: complete Package: phpMyAdmin-3.2.0.1-1.fc11 Tag: dist-f11-updates-candidate Status: complete Package: phpMyAdmin-3.2.0.1-1.fc10 Tag: dist-f10-updates-candidate Status: complete Package: phpMyAdmin-3.2.0.1-1.fc9 Tag: dist-f9-updates-candidate Status: complete
CVE-2009-2284: Cross-site scripting (XSS) vulnerability in phpMyAdmin before 3.2.0.1 allows remote attackers to inject arbitrary web script or HTML via a crafted SQL bookmark. http://www.phpmyadmin.net/home_page/security/PMASA-2009-5.php
Robert, does this need fixing in EPEL (with 2.x phpMyAdmin)?
Ah, upstream advisory says "previous versions are not.". Change to sql.php is in the code not in 2.x, change in libraries/common.lib.php seems applicable, but given the upstream statement, probably not usable without the sql.php problem...
phpMyAdmin-3.2.0.1-1.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.2.0.1-1.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.
phpMyAdmin-3.2.0.1-1.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Thomas, isn't that done and can be closed?
If not fix is needed for 2.x in EPEL, sure, feel free to close this.
Closing, because according to upstream advisory: For 2.11.x: versions are not affected. For 3.x: All 3.x releases on which the "bookmarks" feature is active are affected.