From m.seaman@infracaninophile.co.uk  Thu Jul  1 13:01:48 2004
Return-Path: <m.seaman@infracaninophile.co.uk>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8BE4B16A4CE
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  1 Jul 2004 13:01:48 +0000 (GMT)
Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 343EE43D39
	for <FreeBSD-gnats-submit@freebsd.org>; Thu,  1 Jul 2004 13:01:47 +0000 (GMT)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1])
	by smtp.infracaninophile.co.uk (8.12.11/8.12.11) with ESMTP id i61D0X2E067313
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 1 Jul 2004 14:00:33 +0100 (BST)
	(envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk)
Received: (from matthew@localhost)
	by happy-idiot-talk.infracaninophile.co.uk (8.12.11/8.12.11/Submit) id i61D0XBo067312;
	Thu, 1 Jul 2004 14:00:33 +0100 (BST)
	(envelope-from matthew)
Message-Id: <200407011300.i61D0XBo067312@happy-idiot-talk.infracaninophile.co.uk>
Date: Thu, 1 Jul 2004 14:00:33 +0100 (BST)
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
Reply-To: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [Maintainer update] databases/phpmyadmin security update to 2.5.7-pl1
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         68557
>Category:       ports
>Synopsis:       [Maintainer update] databases/phpmyadmin security update to 2.5.7-pl1
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-ports-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 01 13:10:18 GMT 2004
>Closed-Date:    Thu Jul 01 23:51:28 GMT 2004
>Last-Modified:  Thu Jul 01 23:51:28 GMT 2004
>Originator:     Matthew Seaman
>Release:        FreeBSD 4.10-STABLE i386
>Organization:
Infracaninophile
>Environment:
System: FreeBSD happy-idiot-talk.infracaninophile.co.uk 4.10-STABLE FreeBSD 4.10-STABLE #77: Wed Jun 30 12:50:07 BST 2004 root@happy-idiot-talk.infracaninophile.co.uk:/usr/obj/usr/src/sys/HAPPY-IDIOT-TALK i386


	
>Description:

Security patch to version 2.5.7-pl1.  See

    http://sourceforge.net/forum/forum.php?forum_id=387635

    http://www.securityfocus.com/archive/1/367486/2004-06-28/2004-07-04/0

    There is a vulnerability in phpMyAdmin version 2.5.7. 
    This vulnerability would allow remote user to inject  
    php codes 
    to be executed by eval() function (in file left.php). 
    However, This vulnerability only effect if variable 
    $cfg['LeftFrameLight'] 
    set to    FALSE (in file config.inc.php) 

>How-To-Repeat:
	
>Fix:

	

--- phpmyadmin.diff begins here ---
diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile
--- /usr/ports/databases/phpmyadmin/Makefile	Thu Jun 10 09:51:41 2004
+++ phpmyadmin/Makefile	Thu Jul  1 13:50:03 2004
@@ -6,7 +6,8 @@
 #
 
 PORTNAME=	phpMyAdmin
-PORTVERSION=	2.5.7
+PORTVERSION=	2.5.7.1
+DISTNAME=	${PORTNAME}-${PORTVERSION:C/\.(.)$/-pl\1/}
 CATEGORIES=	databases www
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	phpmyadmin
diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo
--- /usr/ports/databases/phpmyadmin/distinfo	Thu Jun 10 09:51:41 2004
+++ phpmyadmin/distinfo	Thu Jul  1 13:43:54 2004
@@ -1,2 +1,2 @@
-MD5 (phpMyAdmin-2.5.7.tar.bz2) = f0f06811aa4f7c14e053ddd23002f40d
-SIZE (phpMyAdmin-2.5.7.tar.bz2) = 1121972
+MD5 (phpMyAdmin-2.5.7-pl1.tar.bz2) = 93b7c7f3dfcfd6df9c2ea26f31a51772
+SIZE (phpMyAdmin-2.5.7-pl1.tar.bz2) = 1123591
--- phpmyadmin.diff ends here ---


>Release-Note:
>Audit-Trail:

From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Cc:  
Subject: Re: ports/68557: [Maintainer update] databases/phpmyadmin security update to 2.5.7-pl1
Date: Thu, 1 Jul 2004 14:43:57 +0100

 --O5XBE6gyVG5Rl6Rj
 Content-Type: multipart/mixed; boundary="YZ5djTAD1cGYuMQK"
 Content-Disposition: inline
 
 
 --YZ5djTAD1cGYuMQK
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 And here's a patch that will satisfy portlint(1).
 
 	Ooops.
 
 	Matthew
 
 --=20
 Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                       Savill Way
 PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
 Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
 
 --YZ5djTAD1cGYuMQK
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: attachment; filename="phpmyadmin.diff"
 Content-Transfer-Encoding: quoted-printable
 
 diff -Nur /usr/ports/databases/phpmyadmin/Makefile phpmyadmin/Makefile
 --- /usr/ports/databases/phpmyadmin/Makefile	Thu Jun 10 09:51:41 2004
 +++ phpmyadmin/Makefile	Thu Jul  1 14:39:03 2004
 @@ -6,10 +6,11 @@
  #
 =20
  PORTNAME=3D	phpMyAdmin
 -PORTVERSION=3D	2.5.7
 +PORTVERSION=3D	2.5.7.1
  CATEGORIES=3D	databases www
  MASTER_SITES=3D	${MASTER_SITE_SOURCEFORGE}
  MASTER_SITE_SUBDIR=3D	phpmyadmin
 +DISTNAME=3D	${PORTNAME}-${PORTVERSION:C/\.(.)$/-pl\1/}
 =20
  MAINTAINER=3D	m.seaman@infracaninophile.co.uk
  COMMENT=3D	A set of PHP-scripts to administer MySQL over the web
 diff -Nur /usr/ports/databases/phpmyadmin/distinfo phpmyadmin/distinfo
 --- /usr/ports/databases/phpmyadmin/distinfo	Thu Jun 10 09:51:41 2004
 +++ phpmyadmin/distinfo	Thu Jul  1 13:43:54 2004
 @@ -1,2 +1,2 @@
 -MD5 (phpMyAdmin-2.5.7.tar.bz2) =3D f0f06811aa4f7c14e053ddd23002f40d
 -SIZE (phpMyAdmin-2.5.7.tar.bz2) =3D 1121972
 +MD5 (phpMyAdmin-2.5.7-pl1.tar.bz2) =3D 93b7c7f3dfcfd6df9c2ea26f31a51772
 +SIZE (phpMyAdmin-2.5.7-pl1.tar.bz2) =3D 1123591
 
 --YZ5djTAD1cGYuMQK--
 
 --O5XBE6gyVG5Rl6Rj
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.2.4 (FreeBSD)
 
 iD8DBQFA5BUdiD657aJF7eIRAniEAJwKGpCpV9nhIQTevq5sbH6T9bByWACfZzNt
 KHx5SuwndiPwHZkMrFb5vSM=
 =2yu+
 -----END PGP SIGNATURE-----
 
 --O5XBE6gyVG5Rl6Rj--
State-Changed-From-To: open->closed 
State-Changed-By: pav 
State-Changed-When: Thu Jul 1 23:51:21 GMT 2004 
State-Changed-Why:  
Committed, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68557 
>Unformatted:
