[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: PMASA-2005-6 when "register_globals = on"

Neil McGovern wrote:
> On Tue, Nov 15, 2005 at 05:54:32PM +0100, Piotr Roszatycki wrote:
> > http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-6 reports 
> > that sarge's phpmyadmin package has a security flaw which is occured only if 
> > "register_globals = on" setting is used.
> > 
> > This feature is disabled in Debian package by default so I doubt if this is 
> > serious problem. I'd like to ask if I should prepare the new package for 
> > sarge or not?
> > 
> 
> According to the advisory, all versions < 2.6.4-pl4 are affected
> (2.7.0-beta1 from the development schema).
> 
> This would mean that this affects sid and etch too. Has a bug been
> filed/a CVE number assigned for this?

I don't know of one.  We may have to go without one for the moment.

Also, a second issue has just popped up:
http://www.fitsec.com/advisories/FS-05-02.txt

I'd be glad if you could provide patches and packages for
both issues.

(both because in the second the path disclosure is bogus for
us since dpkg -c will disclose the path as well).

Regards,

	Joey

-- 
The only stupid question is the unasked one.

Please always Cc to me when replying to me on the lists.
Reply to: