[Secure-testing-team] Re: phpMyAdmin proposed patch
Thijs Kinkhorst
thijs at debian.org
Fri Jan 12 16:07:13 CET 2007
tags 404744 -sarge
thanks
On Sat, 2007-01-06 at 18:48 -0500, Marc Delisle wrote:
> Hi Thijs and Stefan,
> here is the change I suggest in libraries/session.inc.php, feel free to
> send me your feedback.
I've uploaded this patch, and the JavaScript one to unstable.
For stable/sarge this doesn't apply, since this doesn't use sessions at
all (phpMyAdmin 2.6.2). Marking as such.
Thanks for your help, Marc!
The XSS via the index.php JavaScript also does not apply to sarge since
that is not present there. We previously agreed that PMASA-2006-7,
PMASA-2006-8, PMASA-2006-9 do not apply to sarge or are not in need of a
security release.
I think this settles all open issues for sarge and sid, and I will make
sure that the fixed package reaches etch.
Summary for the security team:
- CVE-2006-6374 does not apply to sarge
- CVE-2007-0203 does not apply to sarge
Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20070112/560b9b41/attachment.pgp
More information about the Secure-testing-team
mailing list