Date: Fri, 12 May 2006 19:17:47 +0100 (BST) From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/97185: [maintainer] databases/phpmyadmin -- security update to 2.8.0.4 Message-ID: <200605121817.k4CIHlbR020703@happy-idiot-talk.infracaninophile.co.uk> Resent-Message-ID: <200605121820.k4CIKGDJ069262@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 97185
>Category: ports
>Synopsis: [maintainer] databases/phpmyadmin -- security update to 2.8.0.4
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: maintainer-update
>Submitter-Id: current-users
>Arrival-Date: Fri May 12 18:20:16 GMT 2006
>Closed-Date:
>Last-Modified:
>Originator: Matthew Seaman
>Release: FreeBSD 4.11-STABLE i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 4.11-STABLE FreeBSD 4.11-STABLE #102: Sat Apr 1 16:45:01 BST 2006 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386
>Description:
Release notes are at:
https://sourceforge.net/project/shownotes.php?release_id=416383&group_id=23067
i) Update to version 2.8.0.4 to patch some security holes. See CVE-2006-2031
http://secunia.com/advisories/19659
http://pridels.blogspot.com/2006/04/phpmyadmin-xss-vuln.html
ii) Provide a little guidance on how to get phpMyAdmin installed with PHP5
iii) Provide a little more guidance on how to configure Apache to work
with phpMyAdmin.
>How-To-Repeat:
>Fix:
--- phpmyadmin.diff begins here ---
diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile
--- /usr/ports/databases/phpmyadmin/Makefile Thu Apr 6 20:44:20 2006
+++ phpmyadmin/Makefile Fri May 12 19:07:22 2006
@@ -6,7 +6,7 @@
#
PORTNAME= phpMyAdmin
-DISTVERSION= 2.8.0.3
+DISTVERSION= 2.8.0.4
CATEGORIES= databases www
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE}
MASTER_SITE_SUBDIR= phpmyadmin
@@ -100,6 +100,11 @@
${ECHO_MSG} ""
${ECHO_MSG} "Note that selecting the MYSQLI option will only work"
${ECHO_MSG} "with PHP5 and MySQL 4.1.x"
+ ${ECHO_MSG} ""
+ ${ECHO_MSG} "If you want to use PHP5, for best results, please"
+ ${ECHO_MSG} "install lang/php5 before attempting to install"
+ ${ECHO_MSG} "databases/phpmyadmin"
+ ${ECHO_MSG} ""
post-patch:
${CP} ${FILESDIR}/${CFGFILE}.sample ${WRKSRC}/${CFGFILE}.sample
diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo
--- /usr/ports/databases/phpmyadmin/distinfo Thu Apr 6 20:44:20 2006
+++ phpmyadmin/distinfo Fri May 12 18:40:28 2006
@@ -1,3 +1,3 @@
-MD5 (phpMyAdmin-2.8.0.3.tar.bz2) = 87ee2e17c9381e969c8f740242220e29
-SHA256 (phpMyAdmin-2.8.0.3.tar.bz2) = 89a15217b9b090ec01e1a4b90c90b2df2ac6b6e192c64385c816d33cc7efaff0
-SIZE (phpMyAdmin-2.8.0.3.tar.bz2) = 2011518
+MD5 (phpMyAdmin-2.8.0.4.tar.bz2) = f7bfa65e72a78a96850799fca6bb70ca
+SHA256 (phpMyAdmin-2.8.0.4.tar.bz2) = 0002f8b93a9c4d2c18c0cb193065840fecf0470e7123c1a17dd73c1ad4d47273
+SIZE (phpMyAdmin-2.8.0.4.tar.bz2) = 1993879
diff -Nur /usr/ports/databases/phpmyadmin/files/pkg-message.in phpmyadmin/files/pkg-message.in
--- /usr/ports/databases/phpmyadmin/files/pkg-message.in Sun Mar 6 10:48:47 2005
+++ phpmyadmin/files/pkg-message.in Fri May 12 19:08:23 2006
@@ -6,7 +6,16 @@
Please edit config.inc.php to suit your needs.
To make phpMyAdmin available through your web site, I suggest
-that you add the following to httpd.conf:
+that you add something like the following to httpd.conf:
Alias /phpmyadmin/ "%%PREFIX%%/%%MYADMDIR%%/"
+
+ <Directory "%%PREFIX%%/%%MYADMDIR%%/">
+ Options none
+ AllowOverride Limit
+
+ Order Deny, Allow
+ Deny from all
+ Allow from 127.0.0.1 .example.com
+ </Directory>
--- phpmyadmin.diff ends here ---
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200605121817.k4CIHlbR020703>