Security fixes:
CVE-2018-15605: An issue was discovered in phpMyAdmin before 4.8.3. A
Cross-Site Scripting vulnerability has been found where an attacker can
use a crafted file to manipulate an authenticated user who loads that
file through the import feature.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
phpmyadmin install some bin list below that depend on interpreter php,
without rdepend, will report "Not found the interpreter php"
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/lint-query
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/tokenize-query
/usr/share/phpmyadmin/vendor/phpmyadmin/sql-parser/bin/highlight-query
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
fixes:
checking Check for supported PHP versions... configure: error: not supported. Need a PHP version >= 5.5.0 and < 7.2.0 (found 7.2.4)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Changed in V4:
Add the tag: meta-oe
1. Different version php have different libphp*.so, so we need to install its
corresponding libphp*.so, for example:
php-7.1.0 libphp7.so
php-5.6.26 libphp5.so
2. Fix php-5.6.26 compiling errors:
ld: TSRM/.libs/TSRM.o: undefined reference to symbol
'pthread_sigmask@@GLIBC_2.2.5'
error adding symbols: DSO missing from command line
3. Create a configure script like 70_mod_php5, we name it 70_mod_php7, this
file connect the php7 and the apache2, so they work together to let the
LAMP works correctly.
Signed-off-by: Dengke Du <dengke.du@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* based on discussion in pndeprecated thread:
https://patchwork.openembedded.org/patch/137573/
update the messages to warn possible users that the
recipe will be removed before the end of the next development
cycle (before Yocto 2.4 is released).
* updated with:
sed -i 's/^\(PNBLACKLIST.*".*\)"/\1 - the recipe will be removed on 2017-09-01 unless the issue is fixed"/g' `git grep PNBLACKLIST | sed 's/:.*//g' | sort -u | xargs`
* then noticed couple recipes being blacklisted only based on
DISTRO_FEATURES, so removed those:
meta-networking/recipes-support/lksctp-tools/lksctp-tools_1.0.17.bb
meta-oe/recipes-connectivity/bluez/bluez-hcidump_2.5.bb
meta-oe/recipes-connectivity/bluez/bluez4_4.101.bb
meta-oe/recipes-connectivity/bluez/gst-plugin-bluetooth_4.101.bb
meta-oe/recipes-navigation/foxtrotgps/foxtrotgps_1.1.1.bb
meta-oe/recipes-navigation/gypsy/gypsy.inc
meta-oe/recipes-navigation/navit/navit.inc
meta-oe/recipes-support/opensync/libsyncml_0.5.4.bb
* if it isn't fixed by this date, it's fair game to be removed
whenever someone gets around to i
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
* Compatible with PHP 5.5 to 7.0 and MySQL 5.5 and newer.
* Release notes: http://www.phpmyadmin.net/files/4.6.3/
* Drop two CVE patches which have been fixed:
CVE-2015-7873 and CVE-2015-8669
* Use PV in SRC_URI instead of hardcoded version number.
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
libraries/config/messages.inc.php in phpMyAdmin 4.0.x before 4.0.10.12,
4.4.x before 4.4.15.2, and 4.5.x before 4.5.3.1 allows remote attackers
to obtain sensitive information via a crafted request, which reveals
the full path in an error message.
This patch is from c4d649325b
Signed-off-by: Jian Liu <jian.liu@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
The redirection feature in url.php in phpMyAdmin 4.4.x before 4.4.15.1
and 4.5.x before 4.5.1 allows remote attackers to spoof content via the
url parameter.
Backport upstream commit to fix it:
cd09765675
Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Upgrade phpmyadmin from 4.4.9 to 4.5.0.2 and SRC_URI is updated.
Accoring to release note, there is NO API changes for 4.5.0.x serial. So
upgrade to 4.5.0.2 rather than 4.4.15 which will only support for
security fixes only.
And license file has some text update. See:
9d080a482f
Change files owner to fix [host-user-contaminated] warnings.
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x before
4.0.10.4, 4.1.x before 4.1.14.5, and 4.2.x before 4.2.9.1 allow remote
authenticated users to inject arbitrary web script or HTML via a crafted ENUM
value that is improperly handled during rendering of the (1) table search or (2)
table structure page, related to
libraries/TableSearch.class.php and libraries/Util.class.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7217
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Cross-site scripting (XSS) vulnerability in the view operations page in
phpMyAdmin 4.1.x before 4.1.14.3 and 4.2.x before 4.2.7.1 allows remote
authenticated users to inject arbitrary web script or HTML via a crafted
view name, related to js/functions.js.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5274
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 4.0.x
before 4.0.10.2, 4.1.x before 4.1.14.3, and 4.2.x before 4.2.7.1 allow
remote authenticated users to inject arbitrary web script or HTML via the
(1) browse table page, related to js/sql.js; (2) ENUM editor page, related
to js/functions.js; (3) monitor page, related to js/server_status_monitor.js;
(4) query charts page, related to js/tbl_chart.js; or (5) table relations
page, related to libraries/tbl_relation.lib.php.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5273
Signed-off-by: Roy Li <rongqing.li@windriver.com>
Multiple buffer overflows in the php_parserr function in
ext/standard/dns.c in PHP before 5.4.32 and 5.5.x before 5.5.16 allow
remote DNS servers to cause a denial of service (application crash) or
possibly execute arbitrary code via a crafted DNS record, related to the
dns_get_record function and the dn_expand function. NOTE: this issue
exists because of an incomplete fix for CVE-2014-4049.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3597
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Integer overflow in the cdf_read_property_info function in cdf.c in file
through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and
5.5.x before 5.5.16, allows remote attackers to cause a denial of
service (application crash) via a crafted CDF file. NOTE: this
vulnerability exists because of an incomplete fix for CVE-2012-1571.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3587
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
gd_ctx.c in the GD component in PHP 5.4.x before 5.4.32 and 5.5.x before
5.5.16 does not ensure that pathnames lack %00 sequences, which might
allow remote attackers to overwrite arbitrary files via crafted input to
an application that calls the (1) imagegd, (2) imagegd2, (3) imagegif,
(4) imagejpeg, (5) imagepng, (6) imagewbmp, or (7) imagewebp function.
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5120
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Bashism:
possible bashism in plugins/transformations/generator_plugin.sh line 16 (echo -e):
echo -e "Usage: ./generator_plugin.sh MIMEType MIMESubtype TransformationName [Description]\n"
possible bashism in plugins/transformations/generator_plugin.sh line 28 (${parm,[,][pat]} or ${parm^[^][pat]}):
MT="${MT^}"
possible bashism in plugins/transformations/generator_plugin.sh line 29 (${parm,[,][pat]} or ${parm^[^][pat]}):
MS="${MS^}"
possible bashism in plugins/transformations/generator_plugin.sh line 30 (${parm,[,][pat]} or ${parm^[^][pat]}):
TN="${TN^}"
possible bashism in plugins/transformations/generator_plugin.sh line 51 (should be 'b = a'):
if [ "$4" == "--generate_only_main_class" ]; then
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
