Security fix: phpMyAdmin 4.7.8 is released

  • 2018-02-20
    Welcome to phpMyAdmin 4.7.8, a security releaes also containing regular maintenance bug fixes.
    The security fix relates to a self-XSS vulnerability in the central columns feature that is reported as PMASA-2018-1 https://www.phpmyadmin.net/security/PMASA-2018-1/. Thanks to Mayur Udiniya https://www.linkedin.com/in/mayur-udiniya-09247b129/ for finding and responsibly disclosing this flaw.
    We recommend all users upgrade to resolve this security problem.
    A complete list of new features and bugs that have been fixed is available in the ChangeLog file or changelog.php included with this release.
    Notable changes since 4.7.7:

    • Fixed error handling with PHP 7.2
    • Fixed resetting default setting values
    • Fixed fallback value for collation connection

    Additionally, there have been continuous improvements to many of the translations. If you don't see your language or find a problem, you can contribute too; see https://www.phpmyadmin.net/translate/ for details.
    As always, downloads are available at https://www.phpmyadmin.net
    Thanks to our sponsors for helping to make this work possible!
    The phpMyAdmin Team

    my System :

    - Distribution: Debian | Release: 9.13 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.3.0), Mailgraph (v 1.1.1), OpenDKIM (v 2.0.0), SpamAssassin (v 2.0.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 5.0.5), RoundcubePlugins (v 2.0.2)YubiKeyAuth 1.1.0

  • Security fix: phpMyAdmin 4.8.3 is released

    2018-08-22

    The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.

    A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.

    In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

    • An error where a database is named 0
    • Fix for NULL as default not being shown
    • Fix for recent tables list
    • Fix for slow performance with table filtering
    • Two-factor authentication (2FA) fails if the GD PHP library is missing
    • Event scheduler toggle does not work
    • ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
    • PHP 7.3 warning: "continue" in "switch" is equal to "break"

    And several more. Complete notes are in the ChangeLog file included with this release.

    As always, downloads are available at https://www.phpmyadmin.net/downloads/

    my System :

    - Distribution: Debian | Release: 9.13 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.3.0), Mailgraph (v 1.1.1), OpenDKIM (v 2.0.0), SpamAssassin (v 2.0.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 5.0.5), RoundcubePlugins (v 2.0.2)YubiKeyAuth 1.1.0

  • Security fix: phpMyAdmin 4.8.5 is released

    2019-01-26

    The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.

    The security fixes involve:

    The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).

    In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:

    • Export to SQL format not available
    • QR code not shown when adding two-factor authentication to a user account
    • Issue with adding a new user in MySQL 8.0.11 and newer
    • Frozen interface relating to Text_Plain_Sql plugin
    • Table level Operations tab was missing

    And several more. Complete notes are in the ChangeLog file included with this release.

    As always, downloads are available at https://www.phpmyadmin.net/downloads/

    my System :

    - Distribution: Debian | Release: 9.13 | Codename: wheezy
    - i-MSCP Version: i-MSCP 1.5.3| Build: 20181208 | Codename: Ennio Morricone
    - Plugins installed: ClamAV (v. 1.3.0), Mailgraph (v 1.1.1), OpenDKIM (v 2.0.0), SpamAssassin (v 2.0.1)
    - LetsEncrypt (v3.3.0), PhpSwitcher (v 5.0.5), RoundcubePlugins (v 2.0.2)YubiKeyAuth 1.1.0

  • This is already the version which will be available for next i-MSCP maintenance version.

    Can we just overwrite the files with the files from the archive?

    You can as long as you known what you're doing. You should just save and restore the config file and set the gui permissions once done: perl /var/www/imscp/engine/setup/set-gui-permissions.pl -dv


    Note that the PhpMyAdmin 4.8.5 version will be available in next maintenance release.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206