Debian Security Advisory DSA 1207-2 (phpmyadmin)

The remote host is missing an update to phpmyadmin announced via advisory DSA 1207-2. The phpmyadmin update in DSA 1207 introduced a regression. This update corrects this flaw. For completeness, the original advisory text below: Several remote vulnerabilities have been discovered in phpMyAdmin, a program to administrate MySQL over the web. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2005-3621 CRLF injection vulnerability allows remote attackers to conduct HTTP response splitting attacks. CVE-2005-3665 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_HOST variable and (2) various scripts in the libraries directory that handle header generation. CVE-2006-1678 Multiple cross-site scripting (XSS) vulnerabilities allow remote attackers to inject arbitrary web script or HTML via scripts in the themes directory. CVE-2006-2418 A cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the db parameter of footer.inc.php. CVE-2006-5116 A remote attacker could overwrite internal variables through the _FILES global variable.

For the stable distribution (sarge) these problems have been fixed in version 2.6.2-3sarge3. For the upcoming stable release (etch) and unstable distribution (sid) these problems have been fixed in version 2.9.0.3-1. We recommend that you upgrade your phpmyadmin package. https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201207-2