From 1a6e6a9d9670431e3c5e8485df78afc9530e8769 Mon Sep 17 00:00:00 2001 From: Jackie Huang Date: Wed, 20 Jul 2016 04:45:46 -0400 Subject: phpmyadmin: upgrade to 4.6.3 * Compatible with PHP 5.5 to 7.0 and MySQL 5.5 and newer. * Release notes: http://www.phpmyadmin.net/files/4.6.3/ * Drop two CVE patches which have been fixed: CVE-2015-7873 and CVE-2015-8669 * Use PV in SRC_URI instead of hardcoded version number. Signed-off-by: Jackie Huang Signed-off-by: Martin Jansa --- .../Port-content-spoofing-fix-CVE-2015-7873.patch | 48 ---------------------- .../phpmyadmin/phpmyadmin-CVE-2015-8669.patch | 18 -------- .../recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb | 38 ----------------- .../recipes-php/phpmyadmin/phpmyadmin_4.6.3.bb | 36 ++++++++++++++++ 4 files changed, 36 insertions(+), 104 deletions(-) delete mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/Port-content-spoofing-fix-CVE-2015-7873.patch delete mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch delete mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb create mode 100644 meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.6.3.bb (limited to 'meta-webserver') diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/Port-content-spoofing-fix-CVE-2015-7873.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/Port-content-spoofing-fix-CVE-2015-7873.patch deleted file mode 100644 index 1e6bcbda52..0000000000 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/Port-content-spoofing-fix-CVE-2015-7873.patch +++ /dev/null @@ -1,48 +0,0 @@ -From ae7eae1cc88cbdf2d27a6f10f097ef731823689e Mon Sep 17 00:00:00 2001 -From: Wenzong Fan -Date: Sat, 14 Nov 2015 02:01:54 -0500 -Subject: [PATCH] Port content spoofing fix - -Backport upstream commit for fixing CVE-2015-7873: - https://github.com/phpmyadmin/phpmyadmin/commit/cd097656758f981f80fb9029c7d6b4294582b706 - -Upstream-Status: Backport - -Signed-off-by: Marc Delisle -Signed-off-by: Wenzong Fan ---- - ChangeLog | 4 ++++ - url.php | 3 ++- - 2 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ChangeLog b/ChangeLog -index 4cb6708..96936c8 100644 ---- a/ChangeLog -+++ b/ChangeLog -@@ -107,6 +107,10 @@ phpMyAdmin - ChangeLog - - issue #11448 Clarify doc about the MemoryLimit directive - - issue #11489 Cannot copy a database under certain conditions - -+4.4.15.1 (2015-10-23) -+- issue #11464 phpMyAdmin suggests upgrading to newer version not usable on that system -+- issue [security] Content spoofing on url.php -+ - 4.4.15.0 (not yet released) - - issue #11411 Undefined "replace" function on numeric scalar - - issue #11421 Stored-proc / routine - broken parameter parsing -diff --git a/url.php b/url.php -index eec78a5..9c4c884 100644 ---- a/url.php -+++ b/url.php -@@ -32,6 +32,7 @@ if (! PMA_isValid($_REQUEST['url']) - } - "; - // Display redirecting msg on screen. -- printf(__('Taking you to %s.'), htmlspecialchars($_REQUEST['url'])); -+ // Do not display the value of $_REQUEST['url'] to avoid showing injected content -+ echo __('Taking you to the target site.'); - } - die(); --- -1.9.1 - diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch deleted file mode 100644 index 65fff6455e..0000000000 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin/phpmyadmin-CVE-2015-8669.patch +++ /dev/null @@ -1,18 +0,0 @@ -[Security] Path disclosure, see PMASA-2015-6 - -Upstream-Status: Bacport - -Signed-off-by: Marc Delisle - -diff -Nur phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php ---- phpMyAdmin-4.5.0.2-all-languages.orig/libraries/config/messages.inc.php 2016-01-20 15:11:15.410106888 +0800 -+++ phpMyAdmin-4.5.0.2-all-languages/libraries/config/messages.inc.php 2016-01-20 15:14:05.758108076 +0800 -@@ -11,7 +11,7 @@ - */ - - if (!function_exists('__')) { -- PMA_fatalError('Bad invocation!'); -+ exit(); - } - - $strConfigAllowArbitraryServer_desc = __( diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb deleted file mode 100644 index ac321857b5..0000000000 --- a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.5.0.2.bb +++ /dev/null @@ -1,38 +0,0 @@ -SUMMARY = "Web-based MySQL administration interface" -HOMEPAGE = "http://www.phpmyadmin.net" -# Main code is GPLv2, libraries/tcpdf is under LGPLv3, js/jquery is under MIT -LICENSE = "GPLv2 & LGPLv3 & MIT" -LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ - file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c" - -SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/4.5.0.2/phpMyAdmin-4.5.0.2-all-languages.tar.xz \ - file://Port-content-spoofing-fix-CVE-2015-7873.patch \ - file://apache.conf \ - file://phpmyadmin-CVE-2015-8669.patch \ -" - -SRC_URI[md5sum] = "2d08d2fcc8f70f88a11a14723e3ca275" -SRC_URI[sha256sum] = "d2e90ea486d90b4ebe5eb02d7ad349ad2916c12a8981f98553395ef78d22a8ec" - -S = "${WORKDIR}/phpMyAdmin-${PV}-all-languages" - -inherit allarch - -do_install() { - install -d ${D}${datadir}/${BPN} - cp -R --no-dereference --preserve=mode,links -v * ${D}${datadir}/${BPN} - chown -R root:root ${D}${datadir}/${BPN} - # Don't install patches to target - rm -rf ${D}${datadir}/${BPN}/patches - - install -d ${D}${sysconfdir}/apache2/conf.d - install -m 0644 ${WORKDIR}/apache.conf ${D}${sysconfdir}/apache2/conf.d/phpmyadmin.conf - - # Remove a few scripts that explicitly require bash (!) - rm -f ${D}${datadir}/phpmyadmin/libraries/transformations/*.sh -} - -FILES_${PN} = "${datadir}/${BPN} \ - ${sysconfdir}/apache2/conf.d" - -RDEPENDS_${PN} += "bash" diff --git a/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.6.3.bb b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.6.3.bb new file mode 100644 index 0000000000..61872ae095 --- /dev/null +++ b/meta-webserver/recipes-php/phpmyadmin/phpmyadmin_4.6.3.bb @@ -0,0 +1,36 @@ +SUMMARY = "Web-based MySQL administration interface" +HOMEPAGE = "http://www.phpmyadmin.net" +# Main code is GPLv2, libraries/tcpdf is under LGPLv3, js/jquery is under MIT +LICENSE = "GPLv2 & LGPLv3 & MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ + file://libraries/tcpdf/LICENSE.TXT;md5=5c87b66a5358ebcc495b03e0afcd342c" + +SRC_URI = "https://files.phpmyadmin.net/phpMyAdmin/${PV}/phpMyAdmin-${PV}-all-languages.tar.xz \ + file://apache.conf \ +" + +SRC_URI[md5sum] = "53c7a6a577d10de04a5dd21a05018542" +SRC_URI[sha256sum] = "943bad38a95f21bb015bdb78c9c067e0ea7510c1b35d4b8e757cb89c413e3bac" + +S = "${WORKDIR}/phpMyAdmin-${PV}-all-languages" + +inherit allarch + +do_install() { + install -d ${D}${datadir}/${BPN} + cp -R --no-dereference --preserve=mode,links -v * ${D}${datadir}/${BPN} + chown -R root:root ${D}${datadir}/${BPN} + # Don't install patches to target + rm -rf ${D}${datadir}/${BPN}/patches + + install -d ${D}${sysconfdir}/apache2/conf.d + install -m 0644 ${WORKDIR}/apache.conf ${D}${sysconfdir}/apache2/conf.d/phpmyadmin.conf + + # Remove a few scripts that explicitly require bash (!) + rm -f ${D}${datadir}/phpmyadmin/libraries/transformations/*.sh +} + +FILES_${PN} = "${datadir}/${BPN} \ + ${sysconfdir}/apache2/conf.d" + +RDEPENDS_${PN} += "bash" -- cgit 1.2.3-korg