Welcome to phpMyAdmin 184.108.40.206, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
phpmyadmin/sql-parser version 4.3.2
sudo dnf upgrade --advisory=FEDORA-2019-13d2ba0aed
|submitted||a month ago|
|in testing||a month ago|
|in stable||a month ago|
|modified||a month ago|
|0||0||#1717401 CVE-2019-11768 phpmyadmin: specially crafted database name in the designer feature can be used to trigger an SQL injection attack|
|0||0||#1717402 CVE-2019-12616 phpmyadmin: broken tag provided by attacker and pointing at the victim's phpMyAdmin database can cause CSRF through the victim|
|0||0||#1717406 CVE-2019-12616 phpMyAdmin: broken tag provided by attacker and pointing at the victim's phpMyAdmin database can cause CSRF through the victim [fedora-all]|
|0||0||#1717409 CVE-2019-11768 phpMyAdmin: specially crafted database name in the designer feature can be used to trigger an SQL injection attack [fedora-all]|