Update: ubuntu patched this issue a couple of days after this post. If you’re reading, thanks guys! You just made my job a lot easier 🙂
At some point, I might try to look at helping maintain this, and other packages like it in the ubuntu archive. No idea how, though a colleague may be able to help…
The versions of phpmyadmin in ubuntu (at least Dapper – Intrepid) are susceptible to arbitrary code execution, as the web-server’s user. A bug1 was reported on the 15th of June about this issue, and marked as high priority on the 21st.
The phpmyadmin team patched this problem in their software on May the 24th. 2
Debian patched this in their system on the 25th of June.
I tried talking to people on #ubuntu-security about this problem. They said “motu” and “we’re not interested, its in universe”. I tried talking to people in #motu, and they talked about work-arounds.
The main questions now are:
- Please can someone work on the bug?
- Why did it take so long between upstream report and launchpad report?
- Why has the bug been left to the point where it is getting automatically exploited, en-masse? 3