From 9aacd678d32b85dc67c552d652a47d0ddb52d77d Mon Sep 17 00:00:00 2001 From: Matthew Seaman Date: Sun, 4 Aug 2013 12:13:50 +0000 Subject: [PATCH] - Security update of databases/phpmyadmin to 4.0.5 ChangeLog: http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.5/phpMyAdmin-4.0.5-notes.html/download SecurityAdvisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php - Deprecate databases/phpmyadmin35 This version is vulnerable to the 'clickjacking protection bypass' problem fixed in 4.0.5, but the development team will not be publishing a fix. "We have no solution for 3.5.x, due to the proposed solution requiring JavaScript. We don't want to introduce a dependency to JavaScript in the 3.5.x family." Therefore deprecate this port and set expiry for one month. Please upgrade to 4.0.5 instead. Security: 17326fd5-fcfb-11e2-9bb9-6805ca0b3d42 --- databases/phpmyadmin/Makefile | 2 +- databases/phpmyadmin/distinfo | 4 ++-- databases/phpmyadmin35/Makefile | 3 +++ security/vuxml/vuln.xml | 30 ++++++++++++++++++++++++++++++ 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/databases/phpmyadmin/Makefile b/databases/phpmyadmin/Makefile index ecb1f43cbb21..b3f8a8be91df 100644 --- a/databases/phpmyadmin/Makefile +++ b/databases/phpmyadmin/Makefile @@ -2,7 +2,7 @@ # $FreeBSD$ PORTNAME= phpMyAdmin -DISTVERSION= 4.0.4.2 +DISTVERSION= 4.0.5 CATEGORIES= databases www MASTER_SITES= SF/${PORTNAME:L}/${PORTNAME}/${DISTVERSION} DISTNAME= ${PORTNAME}-${DISTVERSION}-all-languages diff --git a/databases/phpmyadmin/distinfo b/databases/phpmyadmin/distinfo index 8659a92b9d5e..4beb87c9602b 100644 --- a/databases/phpmyadmin/distinfo +++ b/databases/phpmyadmin/distinfo @@ -1,2 +1,2 @@ -SHA256 (phpMyAdmin-4.0.4.2-all-languages.tar.xz) = 0c13b9136092e33c0e4ce07d88818b989a7aa45d5c47f089df69719b4cc97fe5 -SIZE (phpMyAdmin-4.0.4.2-all-languages.tar.xz) = 4367316 +SHA256 (phpMyAdmin-4.0.5-all-languages.tar.xz) = f4df1190441ce5e094183cfadf8aec4af3a4f131339599e6380a1c6ac0a11fe4 +SIZE (phpMyAdmin-4.0.5-all-languages.tar.xz) = 4572884 diff --git a/databases/phpmyadmin35/Makefile b/databases/phpmyadmin35/Makefile index ea5431069d56..db426002a9f4 100644 --- a/databases/phpmyadmin35/Makefile +++ b/databases/phpmyadmin35/Makefile @@ -12,6 +12,9 @@ COMMENT= A set of PHP-scripts to manage MySQL over the web LICENSE= GPLv2 +DEPRECATED= Has unresolved security problems: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php +EXPIRATION_DATE= 2013-09-04 + USE_XZ= yes NO_BUILD= yes .if !defined(WITHOUT_PHP_DEPENDS) diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml index 9a596297e76b..e36f33ffc27c 100644 --- a/security/vuxml/vuln.xml +++ b/security/vuxml/vuln.xml @@ -51,6 +51,36 @@ Note: Please add new entries to the beginning of this file. --> + + phpMyAdmin -- clickJacking protection can be bypassed + + + phpMyAdmin + 4.0.5 + + + + +

The phpMyAdmin development team reports:

+
+

phpMyAdmin has a number of mechanisms to avoid a + clickjacking attack, however these mechanisms either work + only in modern browser versions, or can be bypassed.

+

"We have no solution for 3.5.x, due to the proposed + solution requiring JavaScript. We don't want to introduce a + dependency to JavaScript in the 3.5.x family."

+
+ + + + http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php + + + 2013-08-04 + 2013-08-04 + + + chromium -- multiple vulnerabilities