Bug 6905

It probably needs to be updated for the new configuration file paths in the new Apache 2.4.x in Cauldron.

It should also be updated to 3.5.2.1, a security update.  I'll let you decide whether to issue an update for the stable releases.  The upstream security advisory hasn't been posted yet, but the release announcement has been:
http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.5.2.1_is_released
http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php

CC: (none) => luigiwalser
Assignee: bugsquad => lists.jjorge

Now another security release has been issued, 3.5.2.2.

http://www.phpmyadmin.net/home_page/news.php#phpMyAdmin_3.4.11.1_and_3.5.2.2_are_released
http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php

Component: RPM Packages => Security
Summary: phpmyadmin does not work => phpmyadmin does not work and is missing an update for security issues
Whiteboard: (none) => MGA2TOO, MGA1TOO

I am back from beach, I'll provide update ASAP.

Status: NEW => ASSIGNED

I provide here updates for MGA1 and MGA2. Please tell me if I should open 2 new bug reports, I can't find what was decided about that in our policy.

Advisory:
========================

Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
========================

Updated packages in core/updates_testing:
========================
phpmyadmin-3.5.2.2-1.mga2
phpmyadmin-3.5.2.2-1.mga1

from phpmyadmin-3.5.2.2-1.mga[1-2].src.rpm

Sorry it is phpmyadmin-3.5.2.2-1.1.mga2 as a subrel was forgotten.

Assignee: lists.jjorge => qa-bugs

One bug report for both updates is ok.

CC: (none) => stormi
Version: Cauldron => 2
Whiteboard: MGA2TOO, MGA1TOO => MGA1TOO

Testing on Mageia 2 x86_64, normal operations (connect, browse databases, query...): seems ok.

Whiteboard: MGA1TOO => MGA1TOO MGA2-64-OK

Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the package requires php-mysql. Isn't there a mismatch?

Whiteboard: MGA1TOO MGA2-64-OK => MGA1TOO feedback MGA2-64-OK?

testing is complete mageia 2 i586

CC: (none) => gerdroscher
Whiteboard: MGA1TOO feedback MGA2-64-OK? => MGA1TOO feedback MGA2-64-OK? MGA2-32-OK

(In reply to comment #8)
> Hmm, newer phpmyadmin uses php-mysqli in default configuration file, but the
> package requires php-mysql. Isn't there a mismatch?

I must have made a mistake somewhere. The requires is there.

Whiteboard: MGA1TOO feedback MGA2-64-OK? MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK

For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the mysqli extension, so the requires are not ok.

Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK feedback

(In reply to comment #11)
> For Mageia I'm not mistaken: phpmyadmin complains that it doesn't find the
> mysqli extension, so the requires are not ok.

Mageia 1

Adding José in CC list.

The updated mga1 package seems to need a require on php-mysqli in the same way as mga2 did with the newer phpmyadmin in bug 6187.

Could you have another look please José.

CC: (none) => lists.jjorge

You are right. I just submitted phpmyadmin-3.5.2.2-1.1.mga1 with the needed require.

Testing complete on Mageia 1 i586 and x86-64.

Since php-mysqli is already in Mageia 1 Core Updates, it will
not require linking.

Could someone from the sysadmin team push the srpm
phpmyadmin-3.5.2.2-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
phpmyadmin-3.5.2.2-1.1.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated phpmyadmin package fixes bugs and security vulnerabilities:
- [security] Fixed XSS vulnerabilities, see PMASA-2012-4
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
- added missing requires for php-mysqli

https://bugs.mageia.org/show_bug.cgi?id=6905

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: MGA1TOO MGA2-64-OK MGA2-32-OK => MGA1TOO MGA2-64-OK MGA2-32-OK MGA1-32-OK MGA1-64-OK

References:
http://www.phpmyadmin.net/home_page/security/PMASA-2012-3.php
http://www.phpmyadmin.net/home_page/security/PMASA-2012-4.php

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0240

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED