Author: Julian Ladisch
Revision Date: 2015-10-27 17:20:12 UTC

new upstream version; CVE-2015-6830; CVE-2015-7873

Author: Julian Ladisch
Revision Date: 2015-10-16 10:14:29 UTC

* Fix security issues:
  - CVE-2014-1879: Self-XSS due to unescaped HTML output in import.
    LP: #1441590
  - CVE-2013-5003: SQL injection vulnerabilities (control user) (3.4.x is not affected).
  - CVE-2013-5002: Self-XSS due in schema export (3.4.x is not affected).
  - CVE-2013-4996: XSS in Logo Link and Trusted Proxy List (3.4.x is not affected).
  - CVE-2013-4995: XSS in HTML Output when executing a SQL query (3.4.x is not affected).
* Fix security issue:
  - CVE-2013-3239: Locally Saved SQL Dump File Multiple File Extension
    Remote Code Execution (3.4.x is not affected).
* New upstream security release.
  - CVE-2012-4345, CVE-2012-4579: Multiple XSS in Table operations,
    Database structure, Trigger and Visualize GIS data pages.
    LP: #1441587
* New upstream release.
* Add alternative dependency to php5-mysqlnd (closes: #665812).
* New upstream release.
  - CVE-2012-1902: Path disclosure due to missing verification of file presence.
    LP: #1441568
* Checked for policy 3.9.3, no changes.

Author: Michal Čihař
Revision Date: 2015-08-10 10:02:56 UTC

* New upstream release.
* Fix typo in suggests (Closes: #794422).
* Add Armenian debconf translation.

Author: Michal Čihař
Revision Date: 2015-08-10 10:02:56 UTC

* New upstream release.
* Fix typo in suggests (Closes: #794422).
* Add Armenian debconf translation.

Author: Michal Čihař
Revision Date: 2014-12-30 10:54:32 UTC

* Fix security issues (Closes: #774194).
  - CVE-2014-9219 / PMASA-2014-18 - XSS vulnerability in redirection.
  - CVE-2014-9218 / PMASA-2014-17 - DoS vulnerability with long passwords.

Author: Michal Čihař
Revision Date: 2014-12-30 10:54:32 UTC

* Fix security issues (Closes: #774194).
  - CVE-2014-9219 / PMASA-2014-18 - XSS vulnerability in redirection.
  - CVE-2014-9218 / PMASA-2014-17 - DoS vulnerability with long passwords.

Author: Thijs Kinkhorst
Revision Date: 2014-07-19 10:26:04 UTC

* New upstream release.
  - Fixes security issues CVE-2014-4955, CVE-2014-4986, CVE-2014-4987.

Author: Thijs Kinkhorst
Revision Date: 2014-07-19 10:26:04 UTC

* New upstream release.
  - Fixes security issues CVE-2014-4955, CVE-2014-4986, CVE-2014-4987.

Author: Thijs Kinkhorst
Revision Date: 2013-12-11 17:32:19 UTC

New upstream release.

Author: Thijs Kinkhorst
Revision Date: 2013-12-11 17:32:19 UTC

New upstream release.

Author: Thijs Kinkhorst
Revision Date: 2013-09-07 09:16:38 UTC

New upstream release.

Author: Thijs Kinkhorst
Revision Date: 2013-09-07 09:16:38 UTC

New upstream release.

Author: Thijs Kinkhorst
Revision Date: 2013-04-24 16:26:16 UTC

* New upstream release.
  - Fixes security issues PMASA-2013-2, PMASA-2013-3.

Author: Thijs Kinkhorst
Revision Date: 2013-04-24 16:26:16 UTC

* New upstream release.
  - Fixes security issues PMASA-2013-2, PMASA-2013-3.

Author: Thijs Kinkhorst
Revision Date: 2012-08-13 13:24:09 UTC

* New upstream security release.
  - Fixes cross site scripting [PMASA-2012-4].

Author: Thijs Kinkhorst
Revision Date: 2012-02-19 13:20:49 UTC

* New upstream release.
  - Fixes rather hypothetical XSS (CVE-2012-1190).

Author: Ante Karamatić
Revision Date: 2012-01-09 16:29:00 UTC

* debian/patches/CVE-2010-4480.patch:
  - CVE-2010-4480
  - prevents remote XSS attacks via a crafted BBcode tag containing
    "@" characters

Author: Ante Karamatić
Revision Date: 2012-01-09 16:29:00 UTC

* debian/patches/CVE-2010-4480.patch:
  - CVE-2010-4480
  - prevents remote XSS attacks via a crafted BBcode tag containing
    "@" characters

Author: Thijs Kinkhorst
Revision Date: 2011-09-14 14:59:46 UTC

* New upstream release.
* Fixes XSS when in-place editing rows [PMASA-2011-14].

Author: Michal Čihař
Revision Date: 2011-03-20 09:29:59 UTC

* New upstream release.
  - Remove patches integrated upstream.

Author: Jamie Strandboge
Revision Date: 2011-02-18 15:38:31 UTC

fake sync from Debian

Author: Jamie Strandboge
Revision Date: 2011-02-18 15:38:31 UTC

fake sync from Debian

Author: Michal Čihař
Revision Date: 2010-09-09 08:31:57 UTC

* New upstream release (Closes: #595974).
  - Fixes XSS in setup script (PMASA-2010-7, CVE-2010-3263).

Author: Artur Rona
Revision Date: 2010-04-11 02:16:47 UTC

* SECURITY UPDATE: Insufficient output sanitizing when generating
  configuration file (LP: #387215).
  - debian/patches/051_CVE-2009-1151.patch: Do not output unescaped
    chars to generated configuration file. Patch from upstream SVN revision
    12301.
  - References:
    + CVE-2009-1151
    + PMASA-2009-3
* removed unused debian/patches/series file

Author: Thijs Kinkhorst
Revision Date: 2010-04-14 10:55:42 UTC

* New upstream release (closes: #577753).
* Drop unneeded Indexes option from shipped apache.conf.
* Anchor regexp to prevent truncation of schema (closes: #577395).

Author: Artur Rona
Revision Date: 2010-04-11 02:16:47 UTC

* SECURITY UPDATE: Insufficient output sanitizing when generating
  configuration file (LP: #387215).
  - debian/patches/051_CVE-2009-1151.patch: Do not output unescaped
    chars to generated configuration file. Patch from upstream SVN revision
    12301.
  - References:
    + CVE-2009-1151
    + PMASA-2009-3
* removed unused debian/patches/series file

Author: Marc Deslauriers
Revision Date: 2009-10-26 12:21:00 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/062_CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/062_CVE-2009-3696-3697.dpatch: filter and escape
    special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697

Author: Marc Deslauriers
Revision Date: 2009-10-26 08:55:07 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php and db_structure.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter and
    escape special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697
* SECURITY UPDATE: code injection via configuration files (LP: #392324)
  - Previous patch for CVE-2009-1285 was incomplete
  - debian/patches/045-security-CVE-2009-1285-2.dpatch: do not allow user
    to modify php code before saving in setup/frames/config.inc.php and
    setup/config.php.
  - CVE-2009-1285

Author: Marc Deslauriers
Revision Date: 2009-10-26 11:08:55 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/047-security-CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/047-security-CVE-2009-3696-3697.dpatch: filter and
    escape special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697

Author: Marc Deslauriers
Revision Date: 2009-10-26 12:21:00 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/062_CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/062_CVE-2009-3696-3697.dpatch: filter and escape
    special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697

Author: Marc Deslauriers
Revision Date: 2009-10-26 11:08:55 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/047-security-CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/047-security-CVE-2009-3696-3697.dpatch: filter and
    escape special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697

Author: Marc Deslauriers
Revision Date: 2009-10-26 08:55:07 UTC

* SECURITY UPDATE: XSS via a crafted name for a MySQL table (LP: #450505)
  - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter special
    characters in db_operations.php and db_structure.php.
  - CVE-2009-3696
* SECURITY UPDATE: SQL injection via PDF schema generator functionality
  (LP: #450505)
  - debian/patches/046-security-CVE-2009-3696-3697.dpatch: filter and
    escape special characters in pdf_pages.php and pmd_pdf.php.
  - CVE-2009-3697
* SECURITY UPDATE: code injection via configuration files (LP: #392324)
  - Previous patch for CVE-2009-1285 was incomplete
  - debian/patches/045-security-CVE-2009-1285-2.dpatch: do not allow user
    to modify php code before saving in setup/frames/config.inc.php and
    setup/config.php.
  - CVE-2009-1285

Author: Michal Čihař
Revision Date: 2009-10-14 10:58:28 UTC

* New upstream version.
  - Fixes XSS (PMASA-2009-6, CVE-2009-3696, CVE-2009-3697).
* Register documentation on doc-base.
* Use mootools from Debian package rather than own copy.
* Allow saving of configuration from setup script only after explicit action
  from administrator (Closes: #535044, #543460).

Author: Emanuele Gentili
Revision Date: 2008-03-05 20:38:57 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)

* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: Thijs Kinkhorst
Revision Date: 2009-01-19 20:59:17 UTC

[ Thijs Kinkhorst ]
* New upstream release.
* Replace dh_clean -k by dh_prep.

[ Michal Čihař ]
* Better describe steps needed to access phpMyAdmin in README.Debian
  (Closes: #508703).

Author: Emanuele Gentili
Revision Date: 2008-03-11 06:03:46 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)
* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: Thijs Kinkhorst
Revision Date: 2008-08-11 12:44:44 UTC

* New upstream release, only changes:
  + Updates Norwegian translation.
  + Fixes PHP notice on every page load.

Author: Emanuele Gentili
Revision Date: 2008-03-11 06:23:46 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)
* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: Emanuele Gentili
Revision Date: 2008-03-05 20:17:28 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)
* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1
* debian/control:
 + updated maintainer field

Author: Emanuele Gentili
Revision Date: 2008-03-05 20:38:57 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)

* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: Thijs Kinkhorst
Revision Date: 2007-07-14 18:07:05 UTC

* New upstream bugfix release.

[ Translations ]
* German by Helge Kreutzmann (Closes: #432566).

Author: Emanuele Gentili
Revision Date: 2008-03-11 06:03:46 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)
* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: magilus
Revision Date: 2007-03-23 12:04:17 UTC

* SECURITY: Fix PHP Executor Deep Recursion Stack Overflow
* References:
  http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2007-3
  https://bugs.launchpad.net/ubuntu/+source/phpmyadmin/+bug/94891
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1325

Author: Emanuele Gentili
Revision Date: 2008-03-11 06:23:46 UTC

* SECURITY UPDATE:
 + debian/patches/050_CVE-2008-1149.dpatch
  - Provides unauthorized access, Allows partial confidentiality, integrity, and
    availability violation , Allows unauthorized disclosure of information ,
    Allows disruption of service. (LP: #198745)
* References:
 + http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1149
 + http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-1

Author: Steinar H. Gunderson
Revision Date: 2006-09-11 00:14:54 UTC

* Non-maintainer upload.
* Fix issue with /var/www pointing to /usr/share/phpmyadmin.
  (Closes: #385889)
  * Make sure we install /var/www as a directory, since we make a symlink into
    it and we can't rely on it being there.
  * Explicitly link to /var/www/phpmyadmin instead of /var/www, to make sure
    we don't make a new /var/www even if it should be removed for some
    reason.

Author: John Dong
Revision Date: 2006-08-29 18:21:15 UTC

Automated backport upload; no source changes.

Author: Piotr Roszatycki
Revision Date: 2006-04-14 14:47:28 UTC

* New upstream release.
* Security fix: XSS vulnerability (calling directly css files under themes)
  See: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2006-1
  See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1678
  Closes: #362567.

Author: Andrew Mitchell
Revision Date: 2005-10-22 12:31:08 UTC

* SECURITY UPDATE: fix local file inclusion.
* libraries/grab_globals.lib.php: the $__redirect parameter was not
  correctly validated, opening the door to a local file inclusion attack.
* Fix backported from 4:2.6.4-pl2-1
* References:
  PMASA-2005-4
  http://bugs.debian.org/333433

Author: Andrew Mitchell
Revision Date: 2005-10-04 10:54:46 UTC

Roll back to older yada version for breezy, due to freeze
(regression to #322139)

Author: Piotr Roszatycki
Revision Date: 2005-03-11 11:14:05 UTC

Fixed the bug in postinst introduced in last upload. Closes: #299034.

Author: Piotr Roszatycki
Revision Date: 2004-06-25 10:27:26 UTC

* New upstream release
* Add /var/www/phpmyadmin to the apache.conf, closes: #246367.
* Suggests: php4-gd, closes: #243714.
* Should work with E_ALL, closes: #244672.
* Remove php3 from dependencies and DebConf templates, closes: #246002.
* Fixed typo in DebConf template, closes: #250841.
* Dutch debconf templates translation (unfinished...), closes: #216936.
* Split configuration to the /etc/phpmyadmin/config.inc.php and
  /usr/share/phpmyadmin/config.inc.php, closes: #225766.
* Ask for restart only if required, closes: #249940.