[security] Upgrade phpMyAdmin to 2.11.9.6

stephen-smith wrote on Tuesday, April 20, 2010:

Looking at my checkout from CVS HEAD yesterday, OpenEMR is embedding phpMyAdmin 2.11.9.5.  Looking at my git clone from yesterday, the latest release of phpMyAdmin 2.x is 2.11.9.6.  I checked the git log between those versions and found that a security patch was applied around 2009-10-12.  It didn’t get much news, but it evidently fixes some cross-site scripting and SQL injection vulnerabilities in phpMyAdmin 2.11.9.5.

It would be nice if OpenEMR could bump the embedded phpMyAdmin version to at least 2.11.9.6 for the next release or even prepare a patch bundle that addresses the issue.  I can easily prepare a patch, but I believe you are using CVS tags to help automate tracking of phpMyAdmin, so it might be better if someone with a CVS commmit bit does the upgrade.

I tried to open a bug, but I didn’t have the correct permissions, evidently.

bradymiller wrote on Wednesday, April 21, 2010:

hey,

For the bug report, possibly you weren’t logged in (we don’t allow bug reports from anonymous users). Try again, if still having problems even  while logged in, then let us know.

phpmyadmin is now to version 2.11.10 ; would be nice to update it. Here’s are details of relatively recent phpmyadmin upgrade:
http://www.openmedsoftware.org/wiki/PhpMyAdmin
So will be more advantageous to utilize the cvs tags and upgrade it with cvs import/merge commands. Good idea to log this request into the bug tracker; at seem point need to also fix a session bug with openemr/phpmyadmin anyways.

-brady

stephen-smith wrote on Wednesday, April 21, 2010:

Issue 2990552 filed in the bug tracker.

bradymiller wrote on Thursday, April 22, 2010:

hey,
deed is done. upgraded development tip to phpmyadmin 2.11.10.
Will show up in cvs demo this am (4.0.x):
http://www.openmedsoftware.org/wiki/Main_Page#Development_Demos
-brady

stephen-smith wrote on Thursday, April 22, 2010:

Thanks for the quick fix!