thijs at alioth.debian.org
2008-Mar-29 15:49 UTC
[Secure-testing-commits] r8443 - data/CVE
Author: thijs Date: 2008-03-29 15:49:44 +0000 (Sat, 29 Mar 2008) New Revision: 8443 Modified: data/CVE/list Log: rewrite to be hopefully more clear Modified: data/CVE/list ==================================================================--- data/CVE/list 2008-03-29 15:44:18 UTC (rev 8442) +++ data/CVE/list 2008-03-29 15:49:44 UTC (rev 8443) @@ -1,10 +1,10 @@ CVE-2008-XXXX [phpMyAdmin sensitive data in session PMASA-2008-2] - phpmyadmin 2.11.5.1 (unimportant) NOTE: http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2008-2 - NOTE: I can see no way to actively exploit this unless the host is very - NOTE: insecure anyway (not a Debian supported configuration), plus on a - NOTE: shared host of that setup you can read the same data from the config - NOTE: if you''d like. Flagging as non-issue. + NOTE: It is a workaround for the limited security that PHP has for + NOTE: session files on a shared host. This limitation is documented with + NOTE: PHP, warned against and not a specific vulnerability in phpMyAdmin. + NOTE: I hence consider it a security enhancement/feature, not a vulnerability. CVE-2008-1530 [gnupg key import memory corruption] - gnupg <not-affected> (Only 1.4.8 is affected) TODO: Verify that the next maintainer upload uses 1.4.9 directly