svn commit: r324220 - in head: databases/phpmyadmin databases/phpmyadmin35 security/vuxml

Matthew Seaman matthew at FreeBSD.org
Sun Aug 4 12:13:52 UTC 2013 

Author: matthew
Date: Sun Aug  4 12:13:50 2013
New Revision: 324220
URL: http://svnweb.freebsd.org/changeset/ports/324220

Log:
  - Security update of databases/phpmyadmin to 4.0.5
  
  ChangeLog: http://sourceforge.net/projects/phpmyadmin/files/phpMyAdmin/4.0.5/phpMyAdmin-4.0.5-notes.html/download
  SecurityAdvisory: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php
  
  - Deprecate databases/phpmyadmin35
  
  This version is vulnerable to the 'clickjacking protection bypass'
  problem fixed in 4.0.5, but the development team will not be
  publishing a fix. "We have no solution for 3.5.x, due to the proposed
  solution requiring JavaScript. We don't want to introduce a dependency
  to JavaScript in the 3.5.x family."
  
  Therefore deprecate this port and set expiry for one month.  Please
  upgrade to 4.0.5 instead.
  
  Security:	17326fd5-fcfb-11e2-9bb9-6805ca0b3d42

Modified:
  head/databases/phpmyadmin/Makefile
  head/databases/phpmyadmin/distinfo
  head/databases/phpmyadmin35/Makefile
  head/security/vuxml/vuln.xml

Modified: head/databases/phpmyadmin/Makefile
==============================================================================
--- head/databases/phpmyadmin/Makefile	Sun Aug  4 07:26:19 2013	(r324219)
+++ head/databases/phpmyadmin/Makefile	Sun Aug  4 12:13:50 2013	(r324220)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	phpMyAdmin
-DISTVERSION=	4.0.4.2
+DISTVERSION=	4.0.5
 CATEGORIES=	databases www
 MASTER_SITES=	SF/${PORTNAME:L}/${PORTNAME}/${DISTVERSION}
 DISTNAME=	${PORTNAME}-${DISTVERSION}-all-languages

Modified: head/databases/phpmyadmin/distinfo
==============================================================================
--- head/databases/phpmyadmin/distinfo	Sun Aug  4 07:26:19 2013	(r324219)
+++ head/databases/phpmyadmin/distinfo	Sun Aug  4 12:13:50 2013	(r324220)
@@ -1,2 +1,2 @@
-SHA256 (phpMyAdmin-4.0.4.2-all-languages.tar.xz) = 0c13b9136092e33c0e4ce07d88818b989a7aa45d5c47f089df69719b4cc97fe5
-SIZE (phpMyAdmin-4.0.4.2-all-languages.tar.xz) = 4367316
+SHA256 (phpMyAdmin-4.0.5-all-languages.tar.xz) = f4df1190441ce5e094183cfadf8aec4af3a4f131339599e6380a1c6ac0a11fe4
+SIZE (phpMyAdmin-4.0.5-all-languages.tar.xz) = 4572884

Modified: head/databases/phpmyadmin35/Makefile
==============================================================================
--- head/databases/phpmyadmin35/Makefile	Sun Aug  4 07:26:19 2013	(r324219)
+++ head/databases/phpmyadmin35/Makefile	Sun Aug  4 12:13:50 2013	(r324220)
@@ -12,6 +12,9 @@ COMMENT=	A set of PHP-scripts to manage 
 
 LICENSE=	GPLv2
 
+DEPRECATED=	Has unresolved security problems: http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php
+EXPIRATION_DATE=	2013-09-04
+
 USE_XZ=	yes
 NO_BUILD=	yes
 .if !defined(WITHOUT_PHP_DEPENDS)

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Sun Aug  4 07:26:19 2013	(r324219)
+++ head/security/vuxml/vuln.xml	Sun Aug  4 12:13:50 2013	(r324220)
@@ -51,6 +51,36 @@ Note:  Please add new entries to the beg
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="17326fd5-fcfb-11e2-9bb9-6805ca0b3d42">
+    <topic>phpMyAdmin -- clickJacking protection can be bypassed</topic>
+    <affects>
+      <package>
+	<name>phpMyAdmin</name>
+	<range><lt>4.0.5</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>The phpMyAdmin development team reports:</p>
+	<blockquote cite="http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php">
+	  <p> phpMyAdmin has a number of mechanisms to avoid a
+	  clickjacking attack, however these mechanisms either work
+	  only in modern browser versions, or can be bypassed.</p>
+	  <p>"We have no solution for 3.5.x, due to the proposed
+	  solution requiring JavaScript. We don't want to introduce a
+	  dependency to JavaScript in the 3.5.x family."</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <url>http://www.phpmyadmin.net/home_page/security/PMASA-2013-10.php</url>
+    </references>
+    <dates>
+      <discovery>2013-08-04</discovery>
+      <entry>2013-08-04</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="69098c5c-fc4b-11e2-8ad0-00262d5ed8ee">
     <topic>chromium -- multiple vulnerabilities</topic>
     <affects>

More information about the svn-ports-head mailing list