Fedora 13 : phpMyAdmin-3.4.1-1.fc13 (2011-7703)

high Nessus Plugin ID 55007

Synopsis

The remote Fedora host is missing a security update.

Description

Welcome to phpMyAdmin 3.4, presenting a new default theme. This release contains new features, especially :

- User preferences

- Relation schema export to multiple formats

- ENUM/SET editor

- Simplified interface for export/import

- AJAXification of some parts

- Charts

- Visual query builder

and here is the ChangeLog :

Changes for 3.4.1.0 (2011-05-20)

- [interface] Synchronize and already configured host

- [bug] Inline edit and $cfg['PropertiesIconic']

- [patch] Show a translated label

- [navi] Table filter is case sensitive

- [privileges] Revert temporary fix

- [synchronize] Synchronize and user name

- [core] Some browsers report an insecure https connection

- [security] Make redirector require valid token (see PMASA-2011-3 and PMASA-2011-4)

Changes for 3.4.0.0 (2011-05-11)

- [view] Enable VIEW rename

- [privileges] Export a user's privileges

- [core] Updated mootools to fix some glitches with Safari.

- [interface] Add REGEXP ^...$ to select dialog.

- [interface] Add insert ignore option to editing row.

- [interface] Show warning when JavaScript is disabled.

- [edit] Call UUID function separately to show it in insert.

- [export] Allow export of timestamps in UTC.

- [core] Remove config data from session as it brings chicken-egg problem.

- [core] Cookie path now honors PmaAbsoluteUri.

- [core] phpMyAdmin honors https in PmaAbsoluteUri.

- [core] Try moving tables by RENAME and fail to CREATE/INSERT if that fails.

- [core] Force reload js on code change.

- [interface] Do not display long numbers in server status.

- [edit] Add option to just display insert query.

- [interface] Move SSL status to the end, it is usually empty.

- [interface] Show numbers of columns in table structure.

- [inrerface] Add link to reload navigation frame.

- [auth] Signon authentication forwards error message through session data.

- [interface] Move ^1 to the end of message.

- [interface] Grey out non applicable actions in structure

- [interface] Allow to create new table from navigation frame (in light mode).

- [browse] Add direct download of binary fields.

- [browse] Properly display NULL value for BLOB.

- [edit] Allow to set BLOB to/from NULL with ProtectBinary.

- [edit] Do not default to UNHEX when using file upload.

- [core] Add option to configure session_save_path.

- [interface] Provide links to documentation in highlighted SQL.

- [interface] It is now possible to bookmark most pages in JS capable browser.

- [core] Fix SSL detection.

- [doc] Add some hints to chk_rel.php for quick setup.

- [interface] Add class to some elements for easier theming.

- [doc] Add some interesting configs to config.sample.inc.php.

- [doc] Added advice to re-login after changing pmadb settings

- [interface] Prefill 'Copy table to' in tbl_operations.php, thanks to iinl

- [lang] Add English (United Kingdom) translation, thanks to Robert Readman.

- [auth] HTTP Basic auth realm name, thanks to Harald Jenny

- [interface] Do not insert doc links to not formatted SQL.

- [lang] Chinese Simplified update, thanks to Shanyan Baishui

- [lang] Turkish update, thanks to Burak Yavuz

- [interface] Focus TEXTAREA 'sql_query' on click on 'SQL' link

- [lang] Uzbek update, thanks to Orzu Samarqandiy

- [import] After import, also list uploaded filename, thanks to Pavel Konnikov and Herman van Rink

- [structure] Clicking on table name in db Structure should Browse the table if possible, thanks to bhdouglass

- [search] New search operators, thanks to Martynas Mickeviius

- [designer] Colored relations based on the primary key, thanks to GreenRover

- [core] Provide way for vendors to easily change paths to config files.

- [interface] Add inline query editing, thanks to Muhammd Adnan.

- [setup] Allow to configure changes tracking in setup script.

- [edit] Optionally disable the Type column, thanks to Brian Douglass

- [edit] Buttons for quicky creating common SQL queries, thanks to sutharshan.

- [interface] Convert loading of export/import to jQuery ready event, thanks to sutharshan.

- [edit] CURRENT_TIMESTAMP is also valid for datetime fields.

- [engines] Fix parsing of PBXT status, thanks to Madhura Jayaratne.

- [interface] Convert upload progress bar to jQuery, thanks to Philip Frank.

- [interface] Add JavaScript validation of datetime input, thanks to Sutharshan Balachandren.

- [interface] Default sort order is now SMART.

- [interface] Fix flipping of headers in non-IE browsers.

- [interface] Allow to choose servers from configuration for synchronisation.

- [relation] Improve ON DELETE/ON UPDATE drop-downs

- [relation] Improve labels in relation view

- [interface] Use jQuery calendar dialog, thanks to Muhammad Adnan.

- [doc] Incorporate synchronisation docs into main document.

- [core] Include Content Security Policy HTTP headers.

- [CSS] Field attributes use inline CSS

- [interface] Cleanup navigation frame.

- [core] Prevent sending of unnecessary cookies, thanks to Piotr Przybylski

- [password] Generate password only available if JS is enabled (fixed for Privileges and Change password)

- [core] RecodingEngine now accepts none as valid option.

- [core] Dropped AllowAnywhereRecoding configuration variable.

- [interface] Define tab order in SQL form to allow easier tab navigation.

- [core] Centralized format string expansion, @VARIABLES@ are recommended way now, used by file name templates, default queries, export and title generating.

- [validator] SQL validator works also with SOAP PHP extension.

- [interface] Better formatting for SQL validator results.

- [doc] The linked-tables infrastructure is now called phpMyAdmin configuration storage.

- [interface] Move drop/empty links from being tabs to Operations tab.

- [interface] Fixed rendering of error/notice/info titles background.

- [doc] Language and grammar fixes, thanks to Isaac Bennetch

- [export] JSON export, thanks to Hauke Henningsen

- [interface] Editor for SET/ENUM fields.

- [interface] Simplified interface to backup/restore.

- [common] Users preferences

- [relations] Dropped WYSIWYG-PDF configuration variable.

- [relations] Export relations to Dia, SVG and others

- [interface] Added charts to status tab, profiling page and query results

- [interface] AJAXification on various pages

- [core] Remove last remaining parts of profiling code which was removed in 2006.

- [parser] Add workaround for MySQL way of handling backtick.

- [interface] Removed modification options for information_schema

- [config] Add Left frame table filter visibility config option, thanks to eesau

- [core] Force generating of new session on login

- [interface] Drop page-break-before as it is useless for smaller tables.

- [interface] Allow to wrap enum values.

- [interface] Do not automatically mark PDF schema rows to delete

- [interface] Do not apply LeftFrameDBSeparator on first character.

- [interface] Column highlighting and marking in table view

- [common] Visual query builder

- [interface] Prevent long queries from being shown in confirmation popup

- [navi] Left panel table grouping incorrect, thanks to garas - garas

- [interface] Avoid double escaping of MySQL errors.

- [interface] Use less noisy message and remove disable link on server charts and database statistics.

- [relation] When displaying results, show a link to the foreign table even when phpMyAdmin configuration storage is not active

- [relation] Foreign key input options

- [export] Better handling of export to PHP array.

- [privileges] No DROP DATABASE warning if you delete a user

- [interface] Add link to documentation for status variables.

- [security] Redirect external links to avoid Referer leakage.

- [interface] Default to not count tables in database.

- [interface] Shortcut for copying table row.

- [auth] Reset user cache on login.

- [interface] Replace hard-coded limit with $cfg['LimitChars'].

- [interface] Indicate that bookmark is being used on browse.

- [interface] Indicate shared bookmarks in interface.

- [search] Ajaxify browse and delete criteria in DB Search, thanks to Thilanka Kaushalya

- [interface] New default theme pmahomme, dropped darkblue_orange theme.

- [auth] Allow to pass additional parameters using signon method.

- [auth] Add example for OpenID authentication using signon method.

- [dbi] Default to mysqli extension.

- [interface] Add clear button to SQL edit box.

- [core] Update library PHPExcel to version 1.7.6

- [core] Work without mbstring installed.

- [interface] Add links to variables documentation.

- [import] Fix import of utf-8 XML files.

- [auth] Force signon auth on signon URL change.

- [core] Synchronization does not honor AllowArbitraryServer

- [synchronization] Data containing single quotes prevents sync, thanks to jviewer

- [common] Remove the custom color picker feature

- [privileges] Don't fail silently on missing priviledge to execute REVOKE ALL PRIVILEGES

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Update the affected phpMyAdmin package.

See Also

https://bugzilla.redhat.com/show_bug.cgi?id=704171

http://www.nessus.org/u?649afa81

Plugin Details

Severity: High

ID: 55007

File Name: fedora_2011-7703.nasl

Version: 1.12

Type: local

Agent: unix

Published: 6/9/2011

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Vulnerability Information

CPE: p-cpe:/a:fedoraproject:fedora:phpmyadmin, cpe:/o:fedoraproject:fedora:13

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list

Patch Publication Date: 5/30/2011

Vulnerability Publication Date: 5/30/2011

Reference Information

FEDORA: 2011-7703