Date: Fri, 12 May 2006 19:17:47 +0100 (BST) From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/97185: [maintainer] databases/phpmyadmin -- security update to 2.8.0.4 Message-ID: <200605121817.k4CIHlbR020703@happy-idiot-talk.infracaninophile.co.uk> Resent-Message-ID: <200605121820.k4CIKGDJ069262@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 97185 >Category: ports >Synopsis: [maintainer] databases/phpmyadmin -- security update to 2.8.0.4 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri May 12 18:20:16 GMT 2006 >Closed-Date: >Last-Modified: >Originator: Matthew Seaman >Release: FreeBSD 4.11-STABLE i386 >Organization: Infracaninophile >Environment: System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 4.11-STABLE FreeBSD 4.11-STABLE #102: Sat Apr 1 16:45:01 BST 2006 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386 >Description: Release notes are at: https://sourceforge.net/project/shownotes.php?release_id=416383&group_id=23067 i) Update to version 2.8.0.4 to patch some security holes. See CVE-2006-2031 http://secunia.com/advisories/19659 http://pridels.blogspot.com/2006/04/phpmyadmin-xss-vuln.html ii) Provide a little guidance on how to get phpMyAdmin installed with PHP5 iii) Provide a little more guidance on how to configure Apache to work with phpMyAdmin. >How-To-Repeat: >Fix: --- phpmyadmin.diff begins here --- diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile --- /usr/ports/databases/phpmyadmin/Makefile Thu Apr 6 20:44:20 2006 +++ phpmyadmin/Makefile Fri May 12 19:07:22 2006 @@ -6,7 +6,7 @@ # PORTNAME= phpMyAdmin -DISTVERSION= 2.8.0.3 +DISTVERSION= 2.8.0.4 CATEGORIES= databases www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= phpmyadmin @@ -100,6 +100,11 @@ ${ECHO_MSG} "" ${ECHO_MSG} "Note that selecting the MYSQLI option will only work" ${ECHO_MSG} "with PHP5 and MySQL 4.1.x" + ${ECHO_MSG} "" + ${ECHO_MSG} "If you want to use PHP5, for best results, please" + ${ECHO_MSG} "install lang/php5 before attempting to install" + ${ECHO_MSG} "databases/phpmyadmin" + ${ECHO_MSG} "" post-patch: ${CP} ${FILESDIR}/${CFGFILE}.sample ${WRKSRC}/${CFGFILE}.sample diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo --- /usr/ports/databases/phpmyadmin/distinfo Thu Apr 6 20:44:20 2006 +++ phpmyadmin/distinfo Fri May 12 18:40:28 2006 @@ -1,3 +1,3 @@ -MD5 (phpMyAdmin-2.8.0.3.tar.bz2) = 87ee2e17c9381e969c8f740242220e29 -SHA256 (phpMyAdmin-2.8.0.3.tar.bz2) = 89a15217b9b090ec01e1a4b90c90b2df2ac6b6e192c64385c816d33cc7efaff0 -SIZE (phpMyAdmin-2.8.0.3.tar.bz2) = 2011518 +MD5 (phpMyAdmin-2.8.0.4.tar.bz2) = f7bfa65e72a78a96850799fca6bb70ca +SHA256 (phpMyAdmin-2.8.0.4.tar.bz2) = 0002f8b93a9c4d2c18c0cb193065840fecf0470e7123c1a17dd73c1ad4d47273 +SIZE (phpMyAdmin-2.8.0.4.tar.bz2) = 1993879 diff -Nur /usr/ports/databases/phpmyadmin/files/pkg-message.in phpmyadmin/files/pkg-message.in --- /usr/ports/databases/phpmyadmin/files/pkg-message.in Sun Mar 6 10:48:47 2005 +++ phpmyadmin/files/pkg-message.in Fri May 12 19:08:23 2006 @@ -6,7 +6,16 @@ Please edit config.inc.php to suit your needs. To make phpMyAdmin available through your web site, I suggest -that you add the following to httpd.conf: +that you add something like the following to httpd.conf: Alias /phpmyadmin/ "%%PREFIX%%/%%MYADMDIR%%/" + + <Directory "%%PREFIX%%/%%MYADMDIR%%/"> + Options none + AllowOverride Limit + + Order Deny, Allow + Deny from all + Allow from 127.0.0.1 .example.com + </Directory> --- phpmyadmin.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605121817.k4CIHlbR020703>