Fedora Update Notification
2022-02-02 01:14:21.980437

Name        : phpMyAdmin
Product     : Fedora 34
Version     : 5.1.2
Release     : 1.fc34
URL         : https://www.phpmyadmin.net/
Summary     : A web interface for MySQL and MariaDB
Description :
phpMyAdmin is a tool written in PHP intended to handle the administration of
MySQL over the Web. Currently it can create and drop databases,
create/drop/alter tables, delete/edit/add fields, execute any SQL statement,
manage keys on fields, manage privileges,export data into various formats and
is available in 50 languages

Update Information:

**Version 5.1.2**  A flaw was identified in how phpMyAdmin processes two factor
authentication; a user could potentially manipulate their account to bypass two
factor authentication in subsequent authentication sessions (**PMASA-2022-1**).
A series of weaknesses was identified allowing a malicious user to submit
malicious information to present an XSS or HTML injection attack in the
graphical setup page (**PMASA-2022-2**).  ----  Changelog:  - issue
Replaced MySQL documentation redirected links - issue #16960 Fix JS error on
Designer visual builder on some modal buttons - issue        Re-build openlayers
JS dependency from the source files and provide a smaller JS bundle - issue
Fixed imports and theme detection depending on the current working dir - issue
Update JavaScript dependencies - issue #16935 Remove hardcoded row length for
"$cfg['CharTextareaRows']" to allow back values < 7 - issue #16977 Fix encoding
of enum and set values on edit value - issue        Fix set value as selected
when it has special chars on edit value enum - issue #16896 Fix distinct URLs
broken on nullable text fields - issue        Fixed two possible PHP errors
using INT data - issue        Fixed possible warning "Undefined index:
output_format" on export - issue        Fixed warning "Undefined index:
ods_recognize_percentages" on Import ODS - issue        Fixed warning "Undefined
array key "ods_recognize_currency" on Import ODS - issue #16982 Fixed "Notice:
Undefined index: foreign_keys_data" on Designer remove relation - issue
Backquote phpMyAdmin table name on internal relation delete query for Designer -
issue #16982 Do not try to delete internal relations if they are not configured
- issue #16982 Show success messages on Designer for add and remove relation
operations - issue        Fixed possible "Undefined index: clause_is_unique" on
replace value in cell - issue #16991 Fixed case where $_SERVER['REQUEST_METHOD']
is undefined - issue        Fixed configuration error handler registration -
issue #16997 Fixed server variables get/set value not working on multi server
server > 1 - issue #16998 Fixed Multi table query submit on server > 1 logged
out user - issue #17000 Fixed Multi edit on central columns on server > 1 logged
out user - issue #17001 Fix PHP error on query submit without a table name on
multi table query box - issue #16999 Fixed multi table query results shows for 1
sec and then page refreshes - issue        Fixed a non translated button text on
central columns add - issue        Fixed table width on Query by example page
for large screens - issue #16975 Fixed NULL default had a value on insert with
datatime fields - issue #16994 Fixed missing privilege escaping when assigning
multiple databases with '_' to an user - issue #16864 Fixed the margin on the
last database of the tree on all themes when scrollbars are displayed - issue
#17011 Fixed the database tree line that was not continuous on database groups -
issue        Build more syntax correct URLs on JS internal redirects - issue
#16976 Fix wrong link when a table is moved from a database to another - issue
#16985 Fix case-sensitive issue of innodb_file_format=barracuda vs
innodb_file_format=Barracuda - issue        Fixed duplicate quote in navigation
nodes - issue #17006 Disable the URL limit for the MariaDB analyser feature -
issue        Fix calls to fetchRow using two parameters but the function has
only one parameter - issue #17020 Fixed "Notice Undefined index: sql_query" on
Insert page - issue        Fix reported "Undefined index: FirstDayOfCalendar" -
issue        Fix reported "Undefined index: environment" - issue        Fix
"TypeError: strlen() expects parameter 1 to be string, null given" on databases
listing - issue #16973 Fix "Undefined array key "n0_pos2_name"" on databases
listing - issue        Use the correct min MySQL version for axis-order (8.0.1)
instead of (8.0.11) - issue        Use the queries we asked the user
confirmation for on DELETE and TRUNCATE table actions - issue #16994 Fixed
editing specific privileges for a database covered by a wildcard privilege -
issue #16994 Fixed escaping of the database name for databases containing '_' on
users edit - issue #16994 Only escape once on grant/revoke privileges for
databases containing '_' or '%' - issue #16994 Only show databases without a
privilege on multi select for user grant databases - issue        Removed un-
expected query success message from the Table export page - issue #17026 Handle
possible invalid boolean values injected in SaveDir or UploadDir causing
"TypeError: mb_substr()" - issue #16981 Enable cookie parameter "SameSite" on
"phpMyAdmin" cookie for PHP >= 7.3 - issue #16966 Encode "#" to have the anchor
part of the destination URL on SQL highlight terms URLs - issue #17004 Fix PHP
errors due to removed variable "innodb_file_format" on MariaDB >= 10.6.0 and
MySQL >= 8.0.0 - issue #16842 Fixed missing password modes on PerconaDB - issue
#16947 Fix "Change login information" form not working - issue #17004 Fix
Advisor for MariaDB >= 10.5 because of removed "innodb_log_files_in_group"
variable - issue #17037 Fix change structure does not surface errors - issue
#17016 Fixed online Transaction, errors not reported on structure edit - issue
#17042 Fix SQL escaping bug on DB name with special chars on submit query with
rollback option - issue #17027 Better handle the display of sorted binary
columns in results summary - issue #16398 Quote non numeric values on
parameterized queries - issue        Fixed duplicate HTML escaping on foreign
keys select value modal - issue #15370 Fixed edit routine UI incorrectly removes
too many escape slashes - issue #14631 Fix enum with comma produces incorrect
search dropdown on search pages - issue        Fix gis visualization position
and limit parameters have no effect - issue #16995 Fix edit binary foreign key
adds a 1 to the value on the selected value - issue #13614 Fixed escaping the
database names when granting privileges on tables - issue #11834 Fixed adding a
new user on "privileges" tab of a table with a database name using a "_"
character - issue #17033 Fixed scaling of line width and point size in GIS
visualization - issue #17054 Removed "DEL" character from generated random
strings for Blowfish secret auto-generated by setup - issue #17019 Fixed
"Browse" button visible when creating a table from the database structure view -
issue #16804 Fixed numbers where left-aligned rather than right-aligned - issue
Fixed Metro theme text color for buttons in the browse table navigation bar -
issue #14796 Fix export Database page, UI prevents from exporting procedures
only - issue #15225 Fix Command+click on macOS opens links in same tab - issue
#17014 Fix column names in first row when importing from CSV where the first
line contains column names - issue        Fix prevent scrolling the page when
scrolling in GIS visualization - issue        Fix GIS visualization save file
with a different label or column - issue        Fixed GIS saving image as png
with a label - issue        Fixed if label is just the number zero, it was
treated as no label in the OpenLayers map - issue #17039 Fix unable to have 2FA
working with a "pmadb" config value != phpmyadmin - issue #17079 Fixed missing
spatial functions in Insert/Edit page - issue        Fixed broken docs link
after a FK data type mismatch error - issue        Fix don't add multiple
OpenLayers maps, remove listeners on dispose on GIS visualization - issue #14502
Uncheck the "ignore" checkbox when the user chooses a value in the foreign key
list on Insert page - issue #14502 Uncheck the "ignore" checkbox when the user
saves the GIS value on Insert page - issue #17018 Fixed cannot save data from
GIS editor for spatial column on Insert page - issue #17084 Fixed ErrorHandler
not showing errors when phpMyAdmin session does not work at all - issue #17062
Fixed pagination issues when working with identically named tables in separate
databases - issue #17046 Fix "Uncaught TypeError: htmlspecialchars() expects
parameter 1 to be string, null given" - issue #16942 Fix table Import with CSV
using LOAD DATA LOCAL causes error "LOAD DATA LOCAL INFILE is forbidden" - issue
#16942 Fix auto-detection for "LOAD DATA LOCAL INFILE" LOCAL option - issue
#16067 Make select elements with multiple items resizable - issue        Fix the
display of Indexes that use Expressions and not column names - issue
Allow to create the phpMyAdmin storage database using a different name than
"phpmyadmin" using the interface - issue #17092 Document that
"$cfg['Servers'][$i]['designer_coords']" was removed in version 4.3.0 - issue
#16906 Support special table names for pmadb storage table names - issue #16906
Fix a caching effect on the feature list after creating the tables - issue
#16906 Better report errors when creating the pmadb or it's tables - issue
#16906 Create the pmadb tables using the names configured and not the default
names - issue #16906 Create the phpMyAdmin storage database using the configured
"['pmadb']" name and not always "phpmyadmin" - issue #16906 Prevent incorrect
overriding of configured values after a pmadb fix - issue #16906 Use the control
connection to create the storage database and tables and not the user connection
- issue #16693 Fix can't see SQL after adding a new column - issue #12753 Show
table structure after adding a new column - issue        Fix a PHP notice when
logging out - issue #17090 Fix bbcode not rendered for error messages on setup -
issue #17198 Fix the database selection when the navigation tree is disabled -
issue #17228 Fixed copy to clipboard with NULL values gives non usable text -
issue #16746 Replace samyoul/u2f-php-server by code-lts/u2f-php-server - issue
#16005 Performance improvement on the Import and Export pages - issue #17247 Fix
triple HTML encoding - issue #17259 Fix broken link in the Simulate DML query
modal - issue #16746 Update tcpdf dependency to ^6.4.4 for PHP 8.1 compatibility
- issue #16746 Update twig dependency to "^2.14.9 || ^3.3.5" for PHP 8.1
compatibility - issue        [security] Add configuration directive
$cfg['Servers'][$i]['hide_connection_errors'] to allow hiding host names and
other error details when login fails - issue        [security] Add configuration
directive $cfg['URLQueryEncryption'] to allow encrypting senstive information in
the URL - issue        [security] Fix a scenario where an authenticated user can
disable two factor authentication (PMASA-2022-1) - issue        [security] Fix
XSS and HTML injection attacks in the graphical setup page (PMASA-2022-2)  ----
Packaging changes:  * the package now provides all dependencies bundled.

* Sun Jan 23 2022 Remi Collet  - 5.1.2-1
- update to 5.1.2 (2022-01-22, security and bugfix release)
- always use bundled libraries
- fix Licence name
- add build dependency on json ext

  [ 1 ] Bug #2045578 - CVE-2022-23807 phpMyAdmin: two-factor authentication bypass
  [ 2 ] Bug #2045582 - CVE-2022-23808 phpMyAdmin: multiple XSS and HTML injection attacks in setup script

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2022-3544c7d20e' at the command
line. For more information, refer to the dnf documentation available at

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
package-announce mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure