Date: Fri, 25 Feb 2005 11:06:12 GMT From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD-gnats-submit@FreeBSD.org Cc: security-team@FreeBSD.org Subject: ports/78061: [ maintainer ] databases/phpmyadmin (security) update to 2.6.1.pl2 Message-ID: <200502251106.j1PB6CLL014432@gravitas.thebunker.net> Resent-Message-ID: <200502251110.j1PBAbfq051018@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 78061 >Category: ports >Synopsis: [ maintainer ] databases/phpmyadmin (security) update to 2.6.1.pl2 >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Feb 25 11:10:37 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Matthew Seaman >Release: FreeBSD 5.3-STABLE i386 >Organization: Infracaninophile >Environment: System: FreeBSD gravitas.thebunker.net 5.3-STABLE FreeBSD 5.3-STABLE #7: Mon Feb 14 23:07:43 GMT 2005 root@gravitas.thebunker.net:/usr/obj/usr/src/sys/GRAVITAS i386 >Description: Update to 2.6.1.pl2 --- this supercedes PR ports/78011 Update to phpmyadmin version 2.6.1.pl1: Release notes: http://www.phpmyadmin.net/home_page/downloads.php?relnotes=0 Announcement e-mail (quoted below) is at http://sourceforge.net/mailarchive/forum.php?thread_id=6674358&forum_id=2141 Patch level 1 of phpMyAdmin 2.6.1 fixes some security problems, along with a few other bugs. A more formal security alert will be posted when ready. Meanwhile, the phpMyAdmin development team strongly advises an upgrade to phpMyAdmin 2.6.1-pl1, and to also apply the following security measures on your PHP installation (if feasible) by modifying your php.ini configuration file (or virtual host settings): - set register_globals to Off - set display_errors to Off - set log_errors to On - define the path to your error log with the error_log directive Both settings are recommended in the PHP documentation on a server running in production. For example: http://www.php.net/manual/en/security.errors.php However, we suggest you review the impact of those changes before applying them. Meanwhile, work continues on the development version 2.6.2. >How-To-Repeat: >Fix: --- phpmyadmin.diff begins here --- diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile --- /usr/ports/databases/phpmyadmin/Makefile Wed Jan 26 14:37:43 2005 +++ phpmyadmin/Makefile Fri Feb 25 10:50:33 2005 @@ -6,10 +6,12 @@ # PORTNAME= phpMyAdmin -DISTVERSION= 2.6.1 +PORTVERSION= 2.6.1.2 +#DISTVERSION= 2.6.1-pl2 CATEGORIES= databases www MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} MASTER_SITE_SUBDIR= phpmyadmin +DISTNAME= ${PORTNAME}-${PORTVERSION:C/\.(.)$/-pl\1/} MAINTAINER= m.seaman@infracaninophile.co.uk COMMENT= A set of PHP-scripts to manage MySQL over the web diff -Nur /usr/ports/databases/phpmyadmin/Makefile~ phpmyadmin/Makefile~ --- /usr/ports/databases/phpmyadmin/Makefile~ Thu Jan 1 01:00:00 1970 +++ phpmyadmin/Makefile~ Fri Feb 25 10:50:05 2005 @@ -0,0 +1,154 @@ +# New ports collection makefile for: phpMyAdmin +# Date created: 19 Jan 2001 +# Whom: nbm +# +# $FreeBSD: ports/databases/phpmyadmin/Makefile,v 1.25 2005/01/25 20:12:33 pav Exp $ +# + +PORTNAME= phpMyAdmin +PORTVERSION= 2.6.1.2 +DISTNAME= ${PORTNAME}-${PORTVERSION:C/\.(.)$/-pl\1/} +#DISTVERSION= 2.6.1-pl2 +CATEGORIES= databases www +MASTER_SITES= ${MASTER_SITE_SOURCEFORGE} +MASTER_SITE_SUBDIR= phpmyadmin + +MAINTAINER= m.seaman@infracaninophile.co.uk +COMMENT= A set of PHP-scripts to manage MySQL over the web + +USE_BZIP2= yes +NO_BUILD= yes +USE_PHP= mysql pcre + +# Unfortunately can't make WITH_SUPHP part of the OPTIONS selection, +# since it has to be processed before just about anything else. + +.if defined(WITH_SUPHP) && !defined(WITHOUT_SUPHP) + +PKGNAMESUFFIX= -suphp +RUN_DEPENDS+= ${LOCALBASE}/sbin/suphp:${PORTSDIR}/www/suphp +WANT_PHP_CGI= yes +PKGINST_SKEL= ${PKGDIR}/pkg-install${PKGNAMESUFFIX} +PKGINSTALL= ${WRKDIR}/pkg-install${PKGNAMESUFFIX} +PKGDEINST_SKEL= ${PKGDIR}/pkg-deinstall${PKGNAMESUFFIX} +PKGDEINSTALL= ${WRKDIR}/pkg-deinstall${PKGNAMESUFFIX} + +MYADMUSR?= phpmyadm + +SED_SCRIPT= -e 's,%%PREFIX%%,${PREFIX},g' \ + -e 's,%%MYADMDIR%%,${MYADMDIR},g' \ + -e 's,%%MYADMUSR%%,${MYADMUSR},g' \ + -e 's,%%MYADMGRP%%,${MYADMGRP},g' + +.else + +WANT_PHP_WEB= yes + +.endif + +# Copy the way lang/php{4,5}-extensions deals with its OPTIONS -- avoids +# problems with include of bsd.port.pre.mk + +OPTIONS= BZ2 "bzip2 library support" on \ + GD "GD library support" on \ + MYSQLI "Improved MySQL support (PHP5, MySQL 4.1 only)" off \ + OPENSSL "OpenSSL support" on \ + PDF "PDFlib support (implies GD)" on \ + ZLIB "ZLIB support" on + +PORT_DBDIR?= /var/db/ports +LATEST_LINK= ${PORTNAME}${PKGNAMESUFFIX} +OPTIONSFILE?= ${PORT_DBDIR}/${LATEST_LINK}/options + +.if exists(${OPTIONSFILE}) +.include "${OPTIONSFILE}" +.endif + +# Options that default to on: +.for opt in BZ2 GD OPENSSL PDF ZLIB +. if !defined(WITHOUT_${opt}) || defined(WITH_${opt}) +USE_PHP+= ${opt:L} +. endif +.endfor + +# Options that default to off: +.for opt in MYSQLI +. if defined(WITH_${opt}) && !defined(WITHOUT_${opt}) +USE_PHP+= ${opt:L} +. endif +.endfor + +MSG_SKEL= ${PKGDIR}/pkg-message +PKGMESSAGE= ${WRKDIR}/pkg-message + +# MYADMUSR is only used WITH_SUPHP +MYADMDIR?= www/phpMyAdmin +MYADMGRP?= ${WWWGRP} +CFGFILE= config.inc.php + +PLIST= ${WRKDIR}/plist +PLIST_SUB+= MYADMDIR=${MYADMDIR} MYADMGRP=${MYADMGRP} + +.SILENT: + +do-build: + @${DO_NADA} + +pre-everything:: + ${ECHO_MSG} "" + ${ECHO_MSG} "You may use the following additional build option:" + ${ECHO_MSG} "" + ${ECHO_MSG} " WITH_SUPHP=yes Install appropriately for use with" + ${ECHO_MSG} " the www/suphp port [default: no]" + ${ECHO_MSG} "" + +post-patch: + ${MV} ${WRKSRC}/${CFGFILE} ${WRKSRC}/${CFGFILE}.sample + cd ${WRKSRC} ; \ + ${FIND} . ! -type d ! -name ${CFGFILE}.sample | ${SORT} | \ + ${SED} -e "s,^\.,%%MYADMDIR%%," >${PLIST} ; \ + ${CAT} ${PKGDIR}/pkg-plist-chunk >>${PLIST} ; \ + ${FIND} . -type d | ${SORT} -r | ${SED} \ + -e "s,^\.$$,@unexec rmdir %D/%%MYADMDIR%% 2>/dev/null || true," \ + -e "s,^\.,@dirrm %%MYADMDIR%%," >>${PLIST} + ${SED} -e 's,%%MYADMDIR%%,${MYADMDIR},g' \ + -e 's,%%PREFIX%%,${PREFIX},g' \ + -e 's,%%PKGNAME%%,${PKGNAME},g' ${MSG_SKEL} > ${PKGMESSAGE} +.if defined(WITH_SUPHP) + ${SED} ${SED_SCRIPT} ${PKGINST_SKEL} > ${PKGINSTALL} + ${SED} ${SED_SCRIPT} ${PKGDEINST_SKEL} > ${PKGDEINSTALL} +.endif + +pre-install: +.if defined(WITH_SUPHP) + ${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL +.endif + +do-install: install-app install-conf + +install-app: + cd ${WRKSRC} ; \ + for src in $$( ${FIND} . ! -name .cvsignore ) ; do \ + dst=${PREFIX}/${MYADMDIR}$${src#.} ; \ + if ${TEST} -d $$src ; then \ + ${MKDIR} $$dst ; \ + else \ + ${INSTALL_DATA} $$src $$dst ; \ + fi \ + done + +install-conf: install-app + cd ${PREFIX}/${MYADMDIR} ; \ + ${CHMOD} 0640 ${CFGFILE}.sample ; \ + ${CHGRP} ${MYADMGRP} ${CFGFILE}.sample ; \ + if ${TEST} ! -f ${CFGFILE} ; then \ + ${CP} -p ${CFGFILE}.sample ${CFGFILE} ; \ + fi + +post-install: +.if defined(WITH_SUPHP) + ${SETENV} ${SCRIPTS_ENV} ${SH} ${PKGINSTALL} ${PKGNAME} POST-INSTALL +.endif + ${CAT} ${PKGMESSAGE} + +.include <bsd.port.mk> diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo --- /usr/ports/databases/phpmyadmin/distinfo Wed Jan 26 14:37:43 2005 +++ phpmyadmin/distinfo Fri Feb 25 10:27:06 2005 @@ -1,2 +1,2 @@ -MD5 (phpMyAdmin-2.6.1.tar.bz2) = eaa23b48760f2b31a8725bf85b0acecd -SIZE (phpMyAdmin-2.6.1.tar.bz2) = 1544628 +MD5 (phpMyAdmin-2.6.1-pl2.tar.bz2) = 787feeebe16ef7ab43e75e4046550da2 +SIZE (phpMyAdmin-2.6.1-pl2.tar.bz2) = 1541665 --- phpmyadmin.diff ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200502251106.j1PB6CLL014432>