Forum: >>> Magnum BBS <<<

Bug#1102399: bookworm-pu: package phpmyadmin/4:5.2.1+dfsg-1+deb12u1

From Adrian Bunk@21:1/5 to All on Tue Apr 8 18:00:02 2025

XPost: linux.debian.devel.release

This is a multi-part MIME message sent by reportbug.

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: phpMyAdmin Packaging Team <team+phpmyadmin@tracker.debian.org>, security@debian.org

* CVE-2025-24529: XSS on Insert page
* CVE-2025-24530: XSS when checking tables

ZGlmZnN0YXQgZm9yIHBocG15YWRtaW4tNS4yLjErZGZzZyBwaHBteWFkbWluLTUuMi4xK2Rmc2cK CiBjaGFuZ2Vsb2cgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgIHwgICAgOCArCiBwYXRjaGVzLzAwMDEtRml4LVhTUy12dWxuZXJhYmlsaXR5LW9u LUluc2VydC1wYWdlLnBhdGNoICAgICAgICAgIHwgICA3OSArKysrKysrKysrCiBwYXRjaGVzLzAw MDItRml4LXVuZXNjYXBlZC10YWJsZS1uYW1lLXdoZW4tY2hlY2tpbmctdGFibGVzLnBhdGNoIHwg ICAzNyArKysrCiBwYXRjaGVzL3NlcmllcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgIHwgICAgMiAKIDQgZmlsZXMgY2hhbmdlZCwgMTI2IGluc2VydGlv bnMoKykKCmRpZmYgLU5ydSBwaHBteWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL2NoYW5nZWxvZyBw aHBteWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL2NoYW5nZWxvZwotLS0gcGhwbXlhZG1pbi01LjIu MStkZnNnL2RlYmlhbi9jaGFuZ2Vsb2cJMjAyMy0wMi0wOCAxNDo1Nzo0Mi4wMDAwMDAwMDAgKzAy MDAKKysrIHBocG15YWRtaW4tNS4yLjErZGZzZy9kZWJpYW4vY2hhbmdlbG9nCTIwMjUtMDQtMDgg MTg6MjU6NTEuMDAwMDAwMDAwICswMzAwCkBAIC0xLDMgKzEsMTEgQEAKK3BocG15YWRtaW4gKDQ6 NS4yLjErZGZzZy0xK2RlYjEydTEpIGJvb2t3b3JtOyB1cmdlbmN5PW1lZGl1bQorCisgICogTm9u LW1haW50YWluZXIgdXBsb2FkLgorICAqIENWRS0yMDI1LTI0NTI5OiBYU1Mgb24gSW5zZXJ0IHBh Z2UKKyAgKiBDVkUtMjAyNS0yNDUzMDogWFNTIHdoZW4gY2hlY2tpbmcgdGFibGVzCisKKyAtLSBB ZHJpYW4gQnVuayA8YnVua0BkZWJpYW4ub3JnPiAgVHVlLCAwOCBBcHIgMjAyNSAxODoyNTo1MSAr MDMwMAorCiBwaHBteWFkbWluICg0OjUuMi4xK2Rmc2ctMSkgdW5zdGFibGU7IHVyZ2VuY3k9bWVk aXVtCiAKICAgKiBBZGQgYSBkL3BrZy1waHAtdG9vbHMtb3ZlcnJpZGVzIHRvIGZvcmNlIHRoZSBQ SFAgOC4wIHBvbHlmaWxsIGRlcApkaWZmIC1OcnUgcGhwbXlhZG1pbi01LjIuMStkZnNnL2RlYmlh bi9wYXRjaGVzLzAwMDEtRml4LVhTUy12dWxuZXJhYmlsaXR5LW9uLUluc2VydC1wYWdlLnBhdGNo IHBocG15YWRtaW4tNS4yLjErZGZzZy9kZWJpYW4vcGF0Y2hlcy8wMDAxLUZpeC1YU1MtdnVsbmVy YWJpbGl0eS1vbi1JbnNlcnQtcGFnZS5wYXRjaAotLS0gcGhwbXlhZG1pbi01LjIuMStkZnNnL2Rl Ymlhbi9wYXRjaGVzLzAwMDEtRml4LVhTUy12dWxuZXJhYmlsaXR5LW9uLUluc2VydC1wYWdlLnBh dGNoCTE5NzAtMDEtMDEgMDI6MDA6MDAuMDAwMDAwMDAwICswMjAwCisrKyBwaHBteWFkbWluLTUu Mi4xK2Rmc2cvZGViaWFuL3BhdGNoZXMvMDAwMS1GaXgtWFNTLXZ1bG5lcmFiaWxpdHktb24tSW5z ZXJ0LXBhZ2UucGF0Y2gJMjAyNS0wNC0wOCAxNjoxNToyNC4wMDAwMDAwMDAgKzAzMDAKQEAgLTAs MCArMSw3OSBAQAorRnJvbSA4ZWU4NGI2N2VjYThhODE3OGZlYzQ5ODE4OGQ5NjhkOTUyMTJlOTMy IE1vbiBTZXAgMTcgMDA6MDA6MDAgMjAwMQorRnJvbTogTWF1csOtY2lvIE1lbmVnaGluaSBGYXV0 aCA8bWF1cmljaW9AbWZhdXRoLm5ldD4KK0RhdGU6IFN1biwgMTIgSmFuIDIwMjUgMjI6Mzk6MDYg LTAzMDAKK1N1YmplY3Q6IEZpeCBYU1MgdnVsbmVyYWJpbGl0eSBvbiBJbnNlcnQgcGFnZQorTUlN RS1WZXJzaW9uOiAxLjAKK0NvbnRlbnQtVHlwZTogdGV4dC9wbGFpbjsgY2hhcnNldD1VVEYtOAor Q29udGVudC1UcmFuc2Zlci1FbmNvZGluZzogOGJpdAorCitTaWduZWQtb2ZmLWJ5OiBNYXVyw61j aW8gTWVuZWdoaW5pIEZhdXRoIDxtYXVyaWNpb0BtZmF1dGgubmV0PgorLS0tCisgbGlicmFyaWVz L2NsYXNzZXMvSW5zZXJ0RWRpdC5waHAgfCAgNCArKy0tCisgcHNhbG0tYmFzZWxpbmUueG1sICAg ICAgICAgICAgICAgfCAgMiArLQorIHRlc3QvY2xhc3Nlcy9JbnNlcnRFZGl0VGVzdC5waHAgIHwg MTQgKysrKysrKysrKysrLS0KKyAzIGZpbGVzIGNoYW5nZWQsIDE1IGluc2VydGlvbnMoKyksIDUg ZGVsZXRpb25zKC0pCisKK2RpZmYgLS1naXQgYS9saWJyYXJpZXMvY2xhc3Nlcy9JbnNlcnRFZGl0 LnBocCBiL2xpYnJhcmllcy9jbGFzc2VzL0luc2VydEVkaXQucGhwCitpbmRleCAzZTZhYjNlNDEx Li43Mjk3MWMwYjg4IDEwMDY0NAorLS0tIGEvbGlicmFyaWVzL2NsYXNzZXMvSW5zZXJ0RWRpdC5w aHAKKysrKyBiL2xpYnJhcmllcy9jbGFzc2VzL0luc2VydEVkaXQucGhwCitAQCAtMTEyNCw4ICsx MTI0LDggQEAgcHJpdmF0ZSBmdW5jdGlvbiBnZXRTcGVjaWFsQ2hhcnNBbmRCYWNrdXBGaWVsZEZv ckluc2VydGluZ01vZGUoCisgICAgICAgICB9IGVsc2VpZiAoJHRydWVUeXBlID09PSAnYmluYXJ5 JyB8fCAkdHJ1ZVR5cGUgPT09ICd2YXJiaW5hcnknKSB7CisgICAgICAgICAgICAgJHNwZWNpYWxD aGFycyA9IGJpbjJoZXgoJGNvbHVtblsnRGVmYXVsdCddKTsKKyAgICAgICAgIH0gZWxzZWlmIChz dWJzdHIoJHRydWVUeXBlLCAtNCkgPT09ICd0ZXh0JykgeworLSAgICAgICAgICAgICR0ZXh0RGVm YXVsdCA9IHN1YnN0cigkY29sdW1uWydEZWZhdWx0J10sIDEsIC0xKTsKKy0gICAgICAgICAgICAk c3BlY2lhbENoYXJzID0gc3RyaXBjc2xhc2hlcygkdGV4dERlZmF1bHQgIT09IGZhbHNlID8gJHRl eHREZWZhdWx0IDogJGNvbHVtblsnRGVmYXVsdCddKTsKKysgICAgICAgICAgICAkdGV4dERlZmF1 bHQgPSAoc3RyaW5nKSBzdWJzdHIoJGNvbHVtblsnRGVmYXVsdCddLCAxLCAtMSk7CisrICAgICAg ICAgICAgJHNwZWNpYWxDaGFycyA9IGh0bWxzcGVjaWFsY2hhcnMoc3RyaXBjc2xhc2hlcygkdGV4 dERlZmF1bHQgIT09ICcnID8gJHRleHREZWZhdWx0IDogJGNvbHVtblsnRGVmYXVsdCddKSk7Cisg ICAgICAgICB9IGVsc2UgeworICAgICAgICAgICAgICRzcGVjaWFsQ2hhcnMgPSBodG1sc3BlY2lh bGNoYXJzKCRjb2x1bW5bJ0RlZmF1bHQnXSk7CisgICAgICAgICB9CitkaWZmIC0tZ2l0IGEvcHNh bG0tYmFzZWxpbmUueG1sIGIvcHNhbG0tYmFzZWxpbmUueG1sCitpbmRleCBhMDc0NjZmN2JmLi40 ZjA1M2MwYTZhIDEwMDY0NAorLS0tIGEvcHNhbG0tYmFzZWxpbmUueG1sCisrKysgYi9wc2FsbS1i YXNlbGluZS54bWwKK0BAIC04MTgzLDcgKzgxODMsNyBAQAorICAgICAgIDxjb2RlPiRzcGVjaWFs Q2hhcnM8L2NvZGU+CisgICAgICAgPGNvZGU+JHNwZWNpYWxDaGFyczwvY29kZT4KKyAgICAgICA8 Y29kZT4kc3BlY2lhbENoYXJzRW5jb2RlZDwvY29kZT4KKy0gICAgICA8Y29kZT4kdGV4dERlZmF1 bHQgIT09IGZhbHNlID8gJHRleHREZWZhdWx0IDogJGNvbHVtblsnRGVmYXVsdCddPC9jb2RlPgor KyAgICAgIDxjb2RlPiR0ZXh0RGVmYXVsdCAhPT0gJycgPyAkdGV4dERlZmF1bHQgOiAkY29sdW1u WydEZWZhdWx0J108L2NvZGU+CisgICAgICAgPGNvZGU+JHRyYW5zZm9ybWF0aW9uUGx1Z2luLSZn dDtnZXRTY3JpcHRzKCk8L2NvZGU+CisgICAgICAgPGNvZGU+JHRyYW5zZm9ybWF0aW9uWyR0eXBl IC4gJ19vcHRpb25zJ10gPz8gJyc8L2NvZGU+CisgICAgICAgPGNvZGU+JHRydWVUeXBlPC9jb2Rl PgorZGlmZiAtLWdpdCBhL3Rlc3QvY2xhc3Nlcy9JbnNlcnRFZGl0VGVzdC5waHAgYi90ZXN0L2Ns YXNzZXMvSW5zZXJ0RWRpdFRlc3QucGhwCitpbmRleCA2YmJlODg1YzEyLi5jM2Y4MjM0NTg2IDEw MDY0NAorLS0tIGEvdGVzdC9jbGFzc2VzL0luc2VydEVkaXRUZXN0LnBocAorKysrIGIvdGVzdC9j bGFzc2VzL0luc2VydEVkaXRUZXN0LnBocAorQEAgLTE3MTQsOSArMTcxNCw5IEBAIHB1YmxpYyBm dW5jdGlvbiBwcm92aWRlckZvclRlc3RHZXRTcGVjaWFsQ2hhcnNBbmRCYWNrdXBGaWVsZEZvcklu c2VydGluZ01vZGUoKToKKyAgICAgICAgICAgICAgICAgWworICAgICAgICAgICAgICAgICAgICAg ZmFsc2UsCisgICAgICAgICAgICAgICAgICAgICAnImxvcmVtXCJpcHNlbSInLAorLSAgICAgICAg ICAgICAgICAgICAgJ2xvcmVtImlwc2VtJywKKysgICAgICAgICAgICAgICAgICAgICdsb3JlbSZx dW90O2lwc2VtJywKKyAgICAgICAgICAgICAgICAgICAgICcnLAorLSAgICAgICAgICAgICAgICAg ICAgJ2xvcmVtImlwc2VtJywKKysgICAgICAgICAgICAgICAgICAgICdsb3JlbSZxdW90O2lwc2Vt JywKKyAgICAgICAgICAgICAgICAgXSwKKyAgICAgICAgICAgICBdLAorICAgICAgICAgICAgICd2 YXJjaGFyIHdpdGggaHRtbCBzcGVjaWFsIGNoYXJzJyA9PiBbCitAQCAtMTczMiw2ICsxNzMyLDE2 IEBAIHB1YmxpYyBmdW5jdGlvbiBwcm92aWRlckZvclRlc3RHZXRTcGVjaWFsQ2hhcnNBbmRCYWNr dXBGaWVsZEZvckluc2VydGluZ01vZGUoKToKKyAgICAgICAgICAgICAgICAgICAgICdoZWxsbyB3 b3JsZCZsdDticiZndDsmbHQ7YiZndDtsb3JlbSZsdDsvYiZndDsgaXBzZW0nLAorICAgICAgICAg ICAgICAgICBdLAorICAgICAgICAgICAgIF0sCisrICAgICAgICAgICAgJ3RleHQgd2l0aCBodG1s IHNwZWNpYWwgY2hhcnMnID0+IFsKKysgICAgICAgICAgICAgICAgWydUcnVlX1R5cGUnID0+ICd0 ZXh0JywgJ0RlZmF1bHQnID0+ICdcJzwvdGV4dGFyZWE+PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0 PlwnJ10sCisrICAgICAgICAgICAgICAgIFsKKysgICAgICAgICAgICAgICAgICAgIGZhbHNlLAor KyAgICAgICAgICAgICAgICAgICAgJ1wnPC90ZXh0YXJlYT48c2NyaXB0PmFsZXJ0KDEpPC9zY3Jp cHQ+XCcnLAorKyAgICAgICAgICAgICAgICAgICAgJyZsdDsvdGV4dGFyZWEmZ3Q7Jmx0O3Njcmlw dCZndDthbGVydCgxKSZsdDsvc2NyaXB0Jmd0OycsCisrICAgICAgICAgICAgICAgICAgICAnJywK KysgICAgICAgICAgICAgICAgICAgICcmbHQ7L3RleHRhcmVhJmd0OyZsdDtzY3JpcHQmZ3Q7YWxl cnQoMSkmbHQ7L3NjcmlwdCZndDsnLAorKyAgICAgICAgICAgICAgICBdLAorKyAgICAgICAgICAg IF0sCisgICAgICAgICBdOworICAgICB9CisgCistLSAKKzIuMzAuMgorCmRpZmYgLU5ydSBwaHBt eWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL3BhdGNoZXMvMDAwMi1GaXgtdW5lc2NhcGVkLXRhYmxl LW5hbWUtd2hlbi1jaGVja2luZy10YWJsZXMucGF0Y2ggcGhwbXlhZG1pbi01LjIuMStkZnNnL2Rl Ymlhbi9wYXRjaGVzLzAwMDItRml4LXVuZXNjYXBlZC10YWJsZS1uYW1lLXdoZW4tY2hlY2tpbmct dGFibGVzLnBhdGNoCi0tLSBwaHBteWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL3BhdGNoZXMvMDAw Mi1GaXgtdW5lc2NhcGVkLXRhYmxlLW5hbWUtd2hlbi1jaGVja2luZy10YWJsZXMucGF0Y2gJMTk3 MC0wMS0wMSAwMjowMDowMC4wMDAwMDAwMDAgKzAyMDAKKysrIHBocG15YWRtaW4tNS4yLjErZGZz Zy9kZWJpYW4vcGF0Y2hlcy8wMDAyLUZpeC11bmVzY2FwZWQtdGFibGUtbmFtZS13aGVuLWNoZWNr aW5nLXRhYmxlcy5wYXRjaAkyMDI1LTA0LTA4IDE2OjE1OjI0LjAwMDAwMDAwMCArMDMwMApAQCAt MCwwICsxLDM3IEBACitGcm9tIDE5ODQ2NzcwOWMwMzFjNTJmYjkxNDM5OTVlMzI1YmNiZjY3ZWVk NTIgTW9uIFNlcCAxNyAwMDowMDowMCAyMDAxCitGcm9tOiBNYXVyw61jaW8gTWVuZWdoaW5pIEZh dXRoIDxtYXVyaWNpb0BtZmF1dGgubmV0PgorRGF0ZTogVHVlLCAxNSBPY3QgMjAyNCAxMjoyNzoy MiAtMDMwMAorU3ViamVjdDogRml4IHVuZXNjYXBlZCB0YWJsZSBuYW1lIHdoZW4gY2hlY2tpbmcg dGFibGVzCitNSU1FLVZlcnNpb246IDEuMAorQ29udGVudC1UeXBlOiB0ZXh0L3BsYWluOyBjaGFy c2V0PVVURi04CitDb250ZW50LVRyYW5zZmVyLUVuY29kaW5nOiA4Yml0CisKK1NpZ25lZC1vZmYt Ynk6IE1hdXLDrWNpbyBNZW5lZ2hpbmkgRmF1dGggPG1hdXJpY2lvQG1mYXV0aC5uZXQ+CistLS0K KyBsaWJyYXJpZXMvY2xhc3Nlcy9UYWJsZS9NYWludGVuYW5jZS5waHAgfCAzICsrLQorIDEgZmls ZSBjaGFuZ2VkLCAyIGluc2VydGlvbnMoKyksIDEgZGVsZXRpb24oLSkKKworZGlmZiAtLWdpdCBh L2xpYnJhcmllcy9jbGFzc2VzL1RhYmxlL01haW50ZW5hbmNlLnBocCBiL2xpYnJhcmllcy9jbGFz c2VzL1RhYmxlL01haW50ZW5hbmNlLnBocAoraW5kZXggOTdjMzQyM2U5MS4uMmEyNTk2YzJiZCAx MDA2NDQKKy0tLSBhL2xpYnJhcmllcy9jbGFzc2VzL1RhYmxlL01haW50ZW5hbmNlLnBocAorKysr IGIvbGlicmFyaWVzL2NsYXNzZXMvVGFibGUvTWFpbnRlbmFuY2UucGhwCitAQCAtMTMsNiArMTMs NyBAQAorIHVzZSBQaHBNeUFkbWluXFV0aWw7CisgCisgdXNlIGZ1bmN0aW9uIF9fOworK3VzZSBm dW5jdGlvbiBodG1sc3BlY2lhbGNoYXJzOworIHVzZSBmdW5jdGlvbiBpbXBsb2RlOworIHVzZSBm dW5jdGlvbiBzcHJpbnRmOworIAorQEAgLTExOSw3ICsxMjAsNyBAQCBwdWJsaWMgZnVuY3Rpb24g Z2V0SW5kZXhlc1Byb2JsZW1zKERhdGFiYXNlTmFtZSAkZGIsIGFycmF5ICR0YWJsZXMpOiBzdHJp bmcKKyAgICAgICAgICAgICAgICAgY29udGludWU7CisgICAgICAgICAgICAgfQorIAorLSAgICAg ICAgICAgICRpbmRleGVzUHJvYmxlbXMgLj0gc3ByaW50ZihfXygnUHJvYmxlbXMgd2l0aCBpbmRl eGVzIG9mIHRhYmxlIGAlc2AnKSwgJHRhYmxlLT5nZXROYW1lKCkpOworKyAgICAgICAgICAgICRp bmRleGVzUHJvYmxlbXMgLj0gaHRtbHNwZWNpYWxjaGFycyhzcHJpbnRmKF9fKCdQcm9ibGVtcyB3 aXRoIGluZGV4ZXMgb2YgdGFibGUgYCVzYCcpLCAkdGFibGUtPmdldE5hbWUoKSkpOworICAgICAg ICAgICAgICRpbmRleGVzUHJvYmxlbXMgLj0gJGNoZWNrOworICAgICAgICAgfQorIAorLS0gCisy LjMwLjIKKwpkaWZmIC1OcnUgcGhwbXlhZG1pbi01LjIuMStkZnNnL2RlYmlhbi9wYXRjaGVzL3Nl cmllcyBwaHBteWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL3BhdGNoZXMvc2VyaWVzCi0tLSBwaHBt eWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL3BhdGNoZXMvc2VyaWVzCTIwMjMtMDItMDggMTQ6NTc6 NDIuMDAwMDAwMDAwICswMjAwCisrKyBwaHBteWFkbWluLTUuMi4xK2Rmc2cvZGViaWFuL3BhdGNo ZXMvc2VyaWVzCTIwMjUtMDQtMDggMTg6MjU6NTEuMDAwMDAwMDAwICswMzAwCkBAIC05LDMgKzks NSBAQAogRHJvcC1kZXBlbmRzLW9uLXBhcmFnb25pZS1zb2RpdW1fY29tcGF0LXNpbmNlLVBIUC03 LjItaXMtcmVxdWlyZWQucGF0Y2gKIFNraXAtcGFydC1vZi1Sb3V0aW5nVGVzdC10ZXN0R2V0RGlz cGF0Y2hlci5wYXRjaAogQWRqdXN0LXBhdGgtZm9yLXNvdXJjZS1maWxlcy1pbi10ZXN0cy5wYXRj aAorMDAwMS1GaXgtWFNTLXZ1bG5lcmFiaWxpdHktb24tSW5zZXJ0LXBhZ2UucGF0Y2gKKzAwMDIt Rml4LXVuZXNjYXBlZC10YWJsZS1uYW1lLXdoZW4tY2hlY2tpbmctdGFibGVzLnBhdGNoCg==

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Jonathan Wiltshire@21:1/5 to All on Mon Apr 14 22:10:01 2025

XPost: linux.debian.devel.release

package release.debian.org
tags 1102399 = bookworm pending
thanks

Hi,

The upload referenced by this bug report has been flagged for acceptance into the proposed-updates queue for Debian bookworm.

Thanks for your contribution!

Upload details
==============

Package: phpmyadmin
Version: 5.2.1+dfsg-1+deb12u1

Explanation: fix XSS vulnerabilities [CVE-2025-24529 CVE-2025-24530]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Who's Online
Recent Visitors
- Bob Worm
  Tue May 27 12:05:35 2025
  from Wales, Uk via Telnet
- Gwylbert
  Tue May 27 10:13:51 2025
  from Sydney, Nsw via Telnet
- Bob Worm
  Mon May 26 21:35:33 2025
  from Wales, Uk via Telnet
- Centurion
  Mon May 26 19:02:17 2025
  from Berea, Ohio via Telnet
- Plume
  Mon May 26 15:58:23 2025
  from Uk via SSH
- Cvt
  Mon May 26 14:55:38 2025
  from Sofia via Telnet
- Plume
  Mon May 26 01:37:32 2025
  from Uk via SSH
- Bob Worm
  Sun May 25 23:29:39 2025
  from Wales, Uk via Telnet

System Info

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	483
Nodes:	16 (2 / 14)
Uptime:	130:54:40
Calls:	9,585
Calls today:	2
Files:	13,673
Messages:	6,146,874

Bug#1102399: bookworm-pu: package phpmyadmin/4:5.2.1+dfsg-1+deb12u1

Who's Online

Recent Visitors

System Info