[SECURITY] Fedora EPEL 6 Update: phpMyAdmin-4.0.10.1-1.el6

updates at fedoraproject.org updates at fedoraproject.org
Thu Aug 7 11:46:21 UTC 2014 

--------------------------------------------------------------------------------
Fedora EPEL Update Notification
FEDORA-EPEL-2014-1940
2014-07-20 17:21:03
--------------------------------------------------------------------------------

Name        : phpMyAdmin
Product     : Fedora EPEL 6
Version     : 4.0.10.1
Release     : 1.el6
URL         : http://www.phpmyadmin.net/
Summary     : Handle the administration of MySQL over the World Wide Web
Description :
phpMyAdmin is a tool written in PHP intended to handle the administration of
MySQL over the World Wide Web. Most frequently used operations are supported
by the user interface (managing databases, tables, fields, relations, indexes,
users, permissions), while you still have the ability to directly execute any
SQL statement.

Features include an intuitive web interface, support for most MySQL features
(browse and drop databases, tables, views, fields and indexes, create, copy,
drop, rename and alter databases, tables, fields and indexes, maintenance
server, databases and tables, with proposals on server configuration, execute,
edit and bookmark any SQL-statement, even batch-queries, manage MySQL users
and privileges, manage stored procedures and triggers), import data from CSV
and SQL, export data to various formats: CSV, SQL, XML, PDF, OpenDocument Text
and Spreadsheet, Word, Excel, LATEX and others, administering multiple servers,
creating PDF graphics of your database layout, creating complex queries using
Query-by-example (QBE), searching globally in a database or a subset of it,
transforming stored data into any format using a set of predefined functions,
like displaying BLOB-data as image or download-link and much more...

--------------------------------------------------------------------------------
Update Information:

phpMyAdmin 4.0.10.1 (2014-07-17)
================================

- XSS injection due to unescaped table name (triggers)
- XSS in AJAX confirmation messages 


phpMyAdmin 4.0.10.0 (2013-12-04)
================================

- Clicking database name in query window opens a new tab
- Wrong page is shown after editing; also, do not show a modal dialog for multi-row edit
- PHP NavigationTree error when paging through list
- Support A10 Networks load balancer
- Row deleting isn't binlogs friendly
- Setup script does not recognize manually-configured server
- Events page says no privileges with ALL PRIVILEGES


phpMyAdmin 4.0.9.0 (2013-11-04)
===============================

- Can't edit updatable view when searching
- Missing refresh by deleting databases
- Drizzle server charset notice
- Filtering database names includes empty groupings
- Does not display or manipulate bit(64) fields appropriately
- Unneeded navi panel refresh
- SSL redirects to port 80
- DROP DATABASE displays wrong database name
- Running delete query asks for confirmation but says it was already executed
- Accessibility: Images without Alt nor title attribute


phpMyAdmin 4.0.8.0 (2013-10-06)
===============================

- Rename view is not working
- Interaction between linkified fields and grid editing
- Table grouping isn't implemented properly
- Browser tries to remember wrong password when creating new user
- Edit Index on big table doesn't show "Loading" or any message
- Default table tab is ignored
- Server/library difference warning: setting is ignored
- Table tree group strategy
- ALTER TABLE ORDER BY and InnoDB
- Tracking report: cannot delete a statement
- Drizzle navigation doesn't expand
- GIS column editor: point not displayed
- Drizzle tables in navigation are shown as views
- NUL symbols added to the end of database dump file
- More disappears in table Structure
- Multi-row edit doesn't clear values when checking NULL


phpMyAdmin 4.0.7.0 (2013-09-23)
===============================

- Sorting in database overview with statistics doesn't work
- Handle the situation where PHP_SELF is not set
- Overwrite existing file not obeyed
- Database-specific privileges are not copied when cloning user
- Error handling in case MySQL extension is missing
- Moving Columns will alter column definition
- Insert ignore option does not work
- Downloading BLOB downloads page template
- Clicking on table name in view of information_schema redirects to wrong page
- Copy Table Add AUTO_INCREMENT value checkbox not working
- MySQL server version at index.php incorrect w/ controlhost
- Import error: Class 'ImportOds' not found
- Missing DROP VIEW button


phpMyAdmin 4.0.6.0 (2013-09-05)
===============================

- Call to undefined function mb_detect_encoding (clarify the doc)
- Missing hints when changing a column's structure
- Cannot select foreign value in Search
- gzip export is not actually compressed with mod_deflate
- query analysis doesn't launch in status monitor
- Add pmahomme icon credits (FamFamFam silk icon set)
- Table structure statistics "Space usage" caption too small for l10n
- Wrong tabindex when inserting rows
- varchar field not truncated in table browse mode
- Opening database should expand it in the navigation menu
- Removed ShowTooltip directive
- Exporting huge Tables causes memory-Problems


phpMyAdmin 4.0.5.0 (2013-08-04)
===============================

- Not detected configuration storage
- Pressing enter in the filter field reloads page
- Cannot insert in this table (PHP < 5.4)
- Reloading privileges does not update the interface
- NavigationBarIconic config not honored
- Call to undefined function mb_detect_encoding
- Analyze option not shown for InnoDB tables
- Forcing a storage engine for configuration storage
- Incorrect Drizzle 7 detection
- Create database if not exists (export): add an option to the interface to enable generating CREATE DATABASE and USE (false by default)
- Crash on CSV file import
- Statistic Monitor shows only last 3 digits in graph
- Non-permanent SQL history not working
- Transformations for text/plain on a BLOB column
- Improved protection against cross framing, see PMASA-2013-10
- Reinstated configuration directive: AllowThirdPartyFraming


phpMyAdmin 4.0.4.0 (2013-06-17)
===============================

- Using DefaultTabDatabase in NavigationTree for Database Click
- Avoid Suhosin warning when in simulation mode
- Row Statistics and Space usage bugs
- Only display "table has no unique column" message when applicable
- NavigationBarIconic config not honored
- Default language wrong with zh-TW
- Call to undefined function PMA_isSuperuser() if default server is not set
- Ctrl/shift + click opens links in same window
- Import using https does not work
- Missing removeCRLF option in ExportCsv and ExportExcel plugins
- Drop not working Visio schema export.
- Better handling of invalid ODS documents
- Number of pages
- User privileges, database name unescaped


phpMyAdmin 4.0.3.0 (2013-06-05)
===============================

- Recent tables list always empty
- Do not translate "Open Document" in export settings
- List of tables is missing after expanding in the navigation frame
- Warnings about reserved word for many non reserved words
- Exporting row selection, resulted by ORDER BY query
- Cookies must be enabled past this point
- "Browse foreign values" search filter / page selector not working
- NOW() function incorrectly selected (partial regression)
- Javascript execution vulnerability in Create view, reported by Maxim Rupp (see PMASA-2013-6)


phpMyAdmin 4.0.2.0 (2013-05-24)
===============================

- Cannot browse when table name contains keyword "call"
- Center loading indicator for navigation refresh, related to bug #3920
- Table sorting in navigation panel is case-sensitive
- Import of CSV file (Replace table data with file) with duplicate values
- Undefined variables, function parameter problems
- Structure not refreshed after column drop
- View is not updatable
- PropertiesIconic not honored
- Databases to choose for specific privileges show up escaped
- Export database with empty table as a php array, does not produce valid PHP
- Query profiler chart not loading from SQL Query page
- Missing CSV import option "Do not abort on INSERT error"
- Missing Operations>Table options>AUTO_INCREMENT
- Missing CREATE DATABASE statement when exporting at database level
- Show warning when CSV file does not contain data for all columns
- Missing Sql Query after modify structure
- Server export problems
- CountTables directive is deprecated


phpMyAdmin 4.0.1.0 (2013-05-14)
===============================

- Import broken for CSV using LOAD DATA
- When login fails and error display is active, login data is displayed
- Web server upload directory import fails
- Server upload folder import file name missing in success message
- Add retry button on connection failure with config auth
- Provide feedback if no columns selected for multi-submit
- Incorrect select field change on ctrl key navigation in Firefox
- display_binary_as_hex option causes unexpected behavior
- Git commit links to Github missing
- CSP WARN in Firefox console
- Setup script warning for config auth (stored login data) shows link BBcode
- Fixed getting BLOB data
- Custom Exporting exports all databases
- Import of CSV File to selected table doesn't work
- Browsing an empty table should not display its Structure
- Calendar widget improperly redirects to home
- Missing scrollbar (original theme)
- Add tcpdf path to vendor_config.php
- Bug fix compat with tcpdf >= 6.0 (tested with 6.0.012)


phpMyAdmin 4.0.0
================

- HTML frames are gone and the navigation panel now presents a tree.
- This version requires Javascript.
- Many bug fixes and smaller new features.
- Documentation has a new look and contains an index.
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #989660 - CVE-2013-4998 CVE-2013-4999 CVE-2013-5000 phpMyAdmin: Multiple full path disclosure flaws (PMASA-2013-12)
        https://bugzilla.redhat.com/show_bug.cgi?id=989660
  [ 2 ] Bug #989668 - CVE-2013-5003 phpMyAdmin: SQL injection leading to 'control user' role privilege escalation (PMASA-2013-15)
        https://bugzilla.redhat.com/show_bug.cgi?id=989668
  [ 3 ] Bug #993613 - CVE-2013-5029 phpMyAdmin: ClickJacking protection can be bypassed (PMASA-2013-10)
        https://bugzilla.redhat.com/show_bug.cgi?id=993613
  [ 4 ] Bug #1067713 - CVE-2014-1879 phpMyAdmin: XSS in import.php
        https://bugzilla.redhat.com/show_bug.cgi?id=1067713
  [ 5 ] Bug #1117600 - CVE-2014-4348 phpMyAdmin: Self-XSS due to unescaped HTML output in recent/favorite tables navigation
        https://bugzilla.redhat.com/show_bug.cgi?id=1117600
  [ 6 ] Bug #1117601 - CVE-2014-4349 phpMyAdmin: Self-XSS due to unescaped HTML output in navigation items hiding feature
        https://bugzilla.redhat.com/show_bug.cgi?id=1117601
--------------------------------------------------------------------------------

This update can be installed with the "yum" update programs.  Use
su -c 'yum update phpMyAdmin' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora EPEL GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------

More information about the epel-package-announce mailing list