This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Mod_Security / ModSecurity works on NGINX + PHP-FPM webserver ?
« on: June 16, 2020, 01:30:10 PM »
Hi,
ModSecurity works on NGINX + PHP-FPM webserver ?
Thanks in advance for the support.
ModSecurity works on NGINX + PHP-FPM webserver ?
Thanks in advance for the support.
2
Nginx / Update NGINX Stable v1.16.1 to latest NGINX Stable v1.18.0 for CWP & CWP PRO!
« on: May 10, 2020, 09:36:35 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Control Web Panel) and CWP (Control Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Control Web Panel) and CWP (Control Web Panel) PRO release, updating NGINX Stable v1.16.1 to the latest version of NGINX Stable v1.18.0 which was released on 21 April 2020.
This is the official announce and / or news link for NGINX Stable v1.18.0: http://nginx.org/
This is the official download link page for NGINX Stable v1.18.0: http://nginx.org/en/download.html
This is the official changelog link for NGINX Stable v1.18.0: http://nginx.org/en/CHANGES-1.18
Among the changes made to Nginx 1.18 that follow the numerous development versions of Nginx 1.17 for example and just to mention a few there are:
- Variables support in more directives.
- Security work including a CVE fix for where an HTTP/2 client might cause excessive memory consumption and CPU Usage.
- A fix where Nginx might hog the CPU in certain conditions, among many other bug fixes.
- OpenSSL 0.9.8 or higher is now required.
Full changelog for NGINX Stable v1.18.0 (all changes in this list are included in NGINX Stable v1.18.0) :
Changes with nginx 1.18.0 21 Apr 2020
*) 1.18.x stable branch.
Changes with nginx 1.17.10 14 Apr 2020
*) Feature: the "auth_delay" directive.
Changes with nginx 1.17.9 03 Mar 2020
*) Change: now nginx does not allow several "Host" request header lines.
*) Bugfix: nginx ignored additional "Transfer-Encoding" request header
lines.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process if OCSP
stapling was used.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: nginx used status code 494 instead of 400 if errors with code
494 were redirected with the "error_page" directive.
*) Bugfix: socket leak when using subrequests in the njs module and the
"aio" directive.
Changes with nginx 1.17.8 21 Jan 2020
*) Feature: variables support in the "grpc_pass" directive.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the "debug_points" directive when using HTTP/2.
Thanks to Daniil Bondarev.
Changes with nginx 1.17.7 24 Dec 2019
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "rewrite" directive with an empty replacement
string was used in the configuration.
*) Bugfix: a segmentation fault might occur in a worker process if the
"break" directive was used with the "alias" directive or with the
"proxy_pass" directive with a URI.
*) Bugfix: the "Location" response header line might contain garbage if
the request URI was rewritten to the one containing a null character.
*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the ngx_http_dav_module.
Changes with nginx 1.17.6 19 Nov 2019
*) Feature: the $proxy_protocol_server_addr and
$proxy_protocol_server_port variables.
*) Feature: the "limit_conn_dry_run" directive.
*) Feature: the $limit_req_status and $limit_conn_status variables.
Changes with nginx 1.17.5 22 Oct 2019
*) Feature: now nginx uses ioctl(FIONREAD), if available, to avoid
reading from a fast connection for a long time.
*) Bugfix: incomplete escaped characters at the end of the request URI
were ignored.
*) Bugfix: "/." and "/.." at the end of the request URI were not
normalized.
*) Bugfix: in the "merge_slashes" directive.
*) Bugfix: in the "ignore_invalid_headers" directive.
Thanks to Alan Kemp.
*) Bugfix: nginx could not be built with MinGW-w64 gcc 8.1 or newer.
Changes with nginx 1.17.4 24 Sep 2019
*) Change: better detection of incorrect client behavior in HTTP/2.
*) Change: in handling of not fully read client request body when
returning errors in HTTP/2.
*) Bugfix: the "worker_shutdown_timeout" directive might not work when
using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
*) Bugfix: the ECONNABORTED error log level was "crit" instead of
"error" on Windows when using SSL.
*) Bugfix: nginx ignored extra data when using chunked transfer
encoding.
*) Bugfix: nginx always returned the 500 error if the "return" directive
was used and an error occurred during reading client request body.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.17.3 13 Aug 2019
*) Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
*) Bugfix: "zero size buf" alerts might appear in logs when using
gzipping; the bug had appeared in 1.17.2.
*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used in SMTP proxy.
Changes with nginx 1.17.2 23 Jul 2019
*) Change: minimum supported zlib version is 1.2.0.4.
Thanks to Ilya Leoshkevich.
*) Change: the $r->internal_redirect() embedded perl method now expects
escaped URIs.
*) Feature: it is now possible to switch to a named location using the
$r->internal_redirect() embedded perl method.
*) Bugfix: in error handling in embedded perl.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if hash bucket size larger than 64 kilobytes was used
in the configuration.
*) Bugfix: nginx might hog CPU during unbuffered proxying and when
proxying WebSocket connections if the select, poll, or /dev/poll
methods were used.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: in the ngx_http_ssi_filter_module.
Changes with nginx 1.17.1 25 Jun 2019
*) Feature: the "limit_req_dry_run" directive.
*) Feature: when using the "hash" directive inside the "upstream" block
an empty hash key now triggers round-robin balancing.
Thanks to Niklas Keller.
*) Bugfix: a segmentation fault might occur in a worker process if
caching was used along with the "image_filter" directive, and errors
with code 415 were redirected with the "error_page" directive; the
bug had appeared in 1.11.10.
*) Bugfix: a segmentation fault might occur in a worker process if
embedded perl was used; the bug had appeared in 1.7.3.
Changes with nginx 1.17.0 21 May 2019
*) Feature: variables support in the "limit_rate" and "limit_rate_after"
directives.
*) Feature: variables support in the "proxy_upload_rate" and
"proxy_download_rate" directives in the stream module.
*) Change: minimum supported OpenSSL version is 0.9.8.
*) Change: now the postpone filter is always built.
*) Bugfix: the "include" directive did not work inside the "if" and
"limit_except" blocks.
*) Bugfix: in byte ranges processing.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Control Web Panel) and CWP (Control Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Control Web Panel) and CWP (Control Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Control Web Panel) and CWP (Control Web Panel) PRO release, updating NGINX Stable v1.16.1 to the latest version of NGINX Stable v1.18.0 which was released on 21 April 2020.
This is the official announce and / or news link for NGINX Stable v1.18.0: http://nginx.org/
This is the official download link page for NGINX Stable v1.18.0: http://nginx.org/en/download.html
This is the official changelog link for NGINX Stable v1.18.0: http://nginx.org/en/CHANGES-1.18
Among the changes made to Nginx 1.18 that follow the numerous development versions of Nginx 1.17 for example and just to mention a few there are:
- Variables support in more directives.
- Security work including a CVE fix for where an HTTP/2 client might cause excessive memory consumption and CPU Usage.
- A fix where Nginx might hog the CPU in certain conditions, among many other bug fixes.
- OpenSSL 0.9.8 or higher is now required.
Full changelog for NGINX Stable v1.18.0 (all changes in this list are included in NGINX Stable v1.18.0) :
Changes with nginx 1.18.0 21 Apr 2020
*) 1.18.x stable branch.
Changes with nginx 1.17.10 14 Apr 2020
*) Feature: the "auth_delay" directive.
Changes with nginx 1.17.9 03 Mar 2020
*) Change: now nginx does not allow several "Host" request header lines.
*) Bugfix: nginx ignored additional "Transfer-Encoding" request header
lines.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process if OCSP
stapling was used.
*) Bugfix: in the ngx_http_mp4_module.
*) Bugfix: nginx used status code 494 instead of 400 if errors with code
494 were redirected with the "error_page" directive.
*) Bugfix: socket leak when using subrequests in the njs module and the
"aio" directive.
Changes with nginx 1.17.8 21 Jan 2020
*) Feature: variables support in the "grpc_pass" directive.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the "debug_points" directive when using HTTP/2.
Thanks to Daniil Bondarev.
Changes with nginx 1.17.7 24 Dec 2019
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if the "rewrite" directive with an empty replacement
string was used in the configuration.
*) Bugfix: a segmentation fault might occur in a worker process if the
"break" directive was used with the "alias" directive or with the
"proxy_pass" directive with a URI.
*) Bugfix: the "Location" response header line might contain garbage if
the request URI was rewritten to the one containing a null character.
*) Bugfix: requests with bodies were handled incorrectly when returning
redirections with the "error_page" directive; the bug had appeared in
0.7.12.
*) Bugfix: socket leak when using HTTP/2.
*) Bugfix: a timeout might occur while handling pipelined requests in an
SSL connection; the bug had appeared in 1.17.5.
*) Bugfix: in the ngx_http_dav_module.
Changes with nginx 1.17.6 19 Nov 2019
*) Feature: the $proxy_protocol_server_addr and
$proxy_protocol_server_port variables.
*) Feature: the "limit_conn_dry_run" directive.
*) Feature: the $limit_req_status and $limit_conn_status variables.
Changes with nginx 1.17.5 22 Oct 2019
*) Feature: now nginx uses ioctl(FIONREAD), if available, to avoid
reading from a fast connection for a long time.
*) Bugfix: incomplete escaped characters at the end of the request URI
were ignored.
*) Bugfix: "/." and "/.." at the end of the request URI were not
normalized.
*) Bugfix: in the "merge_slashes" directive.
*) Bugfix: in the "ignore_invalid_headers" directive.
Thanks to Alan Kemp.
*) Bugfix: nginx could not be built with MinGW-w64 gcc 8.1 or newer.
Changes with nginx 1.17.4 24 Sep 2019
*) Change: better detection of incorrect client behavior in HTTP/2.
*) Change: in handling of not fully read client request body when
returning errors in HTTP/2.
*) Bugfix: the "worker_shutdown_timeout" directive might not work when
using HTTP/2.
*) Bugfix: a segmentation fault might occur in a worker process when
using HTTP/2 and the "proxy_request_buffering" directive.
*) Bugfix: the ECONNABORTED error log level was "crit" instead of
"error" on Windows when using SSL.
*) Bugfix: nginx ignored extra data when using chunked transfer
encoding.
*) Bugfix: nginx always returned the 500 error if the "return" directive
was used and an error occurred during reading client request body.
*) Bugfix: in memory allocation error handling.
Changes with nginx 1.17.3 13 Aug 2019
*) Security: when using HTTP/2 a client might cause excessive memory
consumption and CPU usage (CVE-2019-9511, CVE-2019-9513,
CVE-2019-9516).
*) Bugfix: "zero size buf" alerts might appear in logs when using
gzipping; the bug had appeared in 1.17.2.
*) Bugfix: a segmentation fault might occur in a worker process if the
"resolver" directive was used in SMTP proxy.
Changes with nginx 1.17.2 23 Jul 2019
*) Change: minimum supported zlib version is 1.2.0.4.
Thanks to Ilya Leoshkevich.
*) Change: the $r->internal_redirect() embedded perl method now expects
escaped URIs.
*) Feature: it is now possible to switch to a named location using the
$r->internal_redirect() embedded perl method.
*) Bugfix: in error handling in embedded perl.
*) Bugfix: a segmentation fault might occur on start or during
reconfiguration if hash bucket size larger than 64 kilobytes was used
in the configuration.
*) Bugfix: nginx might hog CPU during unbuffered proxying and when
proxying WebSocket connections if the select, poll, or /dev/poll
methods were used.
*) Bugfix: in the ngx_http_xslt_filter_module.
*) Bugfix: in the ngx_http_ssi_filter_module.
Changes with nginx 1.17.1 25 Jun 2019
*) Feature: the "limit_req_dry_run" directive.
*) Feature: when using the "hash" directive inside the "upstream" block
an empty hash key now triggers round-robin balancing.
Thanks to Niklas Keller.
*) Bugfix: a segmentation fault might occur in a worker process if
caching was used along with the "image_filter" directive, and errors
with code 415 were redirected with the "error_page" directive; the
bug had appeared in 1.11.10.
*) Bugfix: a segmentation fault might occur in a worker process if
embedded perl was used; the bug had appeared in 1.7.3.
Changes with nginx 1.17.0 21 May 2019
*) Feature: variables support in the "limit_rate" and "limit_rate_after"
directives.
*) Feature: variables support in the "proxy_upload_rate" and
"proxy_download_rate" directives in the stream module.
*) Change: minimum supported OpenSSL version is 0.9.8.
*) Change: now the postpone filter is always built.
*) Bugfix: the "include" directive did not work inside the "if" and
"limit_except" blocks.
*) Bugfix: in byte ranges processing.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Control Web Panel) and CWP (Control Web Panel) PRO !
Thanks in advance for the support.
3
New Modules / [BUG - ERROR] Two Factor Authorization Mod - CWP_2FA by "rcschaff"
« on: May 02, 2020, 02:09:19 PM »Quote from: rcschaff link=topic=8348.0
...
Quote from: rcschaff link=topic=8239.0
...
Hi "rcschaff"
First of all i want to congratulate you for the excellent work done by "rcschaff".
I did the installation following the official guide provided by "rcschaff" at this link:
https://www.youtube.com/watch?v=Uc9pglbZo6I
I have done all the steps correctly:
1 - Open firewall port number 2304 TCP/IN and TCP/OUT for IPv4 and IPv6
2 - Correctly created CWP PRO Api access management key with correct options:
Flagged List > Account
Flagged List > Account Details
Flagged List > Domains and subdomains
3 - Installed module via ssh shell with this command officialy provided by "rcschaff" at this link https://github.com/rcschaff82/cwp_2fa
Code: [Select]
wget -O - https://github.com/rcschaff82/cwp_2fa/tarball/master | tar xz
Code: [Select]
cd rcschaff82-cwp_2fa-*
Code: [Select]
./install.sh
When prompted, i have put my API key.
Under CWP Admin Panel (Root user) menu > User Accounts > Features,Themes,Languages > Themes i have correctly activated the modified theme disallowed users to chenge the theme and flagged option "Hide theme change.
Having said that i have to report two bugs and / or errors:
Bug and / or Error:
Go to Menu: 2Factor Auth > Manage users
And have this bug and / or errors:
"Notice: Trying to get property 'msj' of non-object in /usr/local/cwpsrv/htdocs/resources/admin/modules/user2fa.php on line 19
Warning: Invalid argument supplied for foreach() in /usr/local/cwpsrv/htdocs/resources/admin/modules/user2fa.php on line 19
Notice: Undefined variable: userpost in /usr/local/cwpsrv/htdocs/resources/admin/modules/user2fa.php on line 62
Warning: Invalid argument supplied for foreach() in /usr/local/cwpsrv/htdocs/resources/admin/modules/user2fa.php on line 62"
The module works for two-factor authentication for Admin Control Panel (Root) but it does not work for the User Control Panel as once the password has been entered it continues to load continuously without ever displaying the field where the 2FA code can be entered.
Screenshot of bug and/or errors:
So i ask you to help me solve these problems.
In addition, i also ask you the courtesy of being able to post here the commands to be able to uninstall your module completely cleanly from the SSH shell if i need it.
I also remind all those who will read this post that if they wanted to do so they can donate to "rcschaff" for creating this very useful module.
If you would like to donate to the project, "rcschaff" accept donations at: https://paypal.me/rcschaff
Dear "rcschaff" thanks in advance for the support.
4
Updates / Update PHP-FPM and his selector to latest and stable PHP v7.3.17 for CWP PRO!
« on: April 20, 2020, 03:49:44 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.3.17 which was released on 16 April, 2020.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.3.17 which was released on 16 April, 2020.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
5
Updates / Update Apache v2.4.41 to latest and stable Apache v2.4.43 for CWP & CWP PRO!
« on: April 10, 2020, 12:57:29 PM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Control Web Panel) and CWP (Control Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Control Web Panel) and CWP (Control Web Panel) PRO release,
updating Apache to the latest version of Apache v2.4.43 which was released on 31 March, 2020 as GA.
This is the official changelog link for Apache v2.4.43: https://www.apachelounge.com/Changelog-2.4.html
31-March-2020 Changes with Apache v2.4.43 - GA
Apache Lounge changes:
- Upgraded OpenSSL to 1.1.1f from 1.1.1e (Changelog)
ASF changes:
- SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP server. [Eric Covener]
- SECURITY: CVE-2020-1927 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break
characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
- mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
This is the official announcement link for Apache v2.4.43: https://www.apachelounge.com/viewtopic.php?p=38973
Apache httpd 2.4.43 is released as GA.
ASF and Apachelounge changes : https://www.apachelounge.com/Changelog-2.4.html
Attention for mod_md new features and changes listed at 2.4.42 in the change log (2.4.42 was not released).
Documentation: http://httpd.apache.org/docs/2.4/
Build with dependencies:
- openssl 1.1.1f
- nghttp2 1.40.0
- jansson 2.12
- curl 7.69.1
- apr 1.7.0
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.44
- libxml2 2.9.10
- lua 5.2.4
- expat 2.2.9
Why we have a VS16 now
Maybe you noticed that we call Visual Studio C++ 2019 VS16 instead of VC16. In consultation with the PHP team we both now going to use VS16. VS16 is the version number of Visual Studio 2019.
The reason is, that VC15 is already a fictional identity, as the real VC++ version is 14.1, as you know. The new default one is now 14.2 still, not 16. Also, the version numbers move a lot faster now that in versions before VS2015. Thus, it turns out better to refer to the Visual Studio version and it's default toolset, than trying to catch up with the VC++ version which became unpredictable. Back in time, we've started to build with a preview of VS2017, which was indeed VC15, but after the GA release the version has been changed to 14.1, where we didn't catch up.
One Redistributable for VC14, VC15 and VS16
For VC14, VC15 and VS16 there is now only one Redistributable, called Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019
When you have already installed the VC14 and/or VC15 Redistributable. Then after install of the new, the Redistributable VC14/15 is updated from 14.0x.xx/14.1x.xx to the new one 14.2x.xx , it is called Microsoft Visual C++ 2015-2019 Redistributable and you can still use VC15/14.
Note from Microsoft: Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
For example, installing the Visual C++ 2015-2019 Redistributable will affect programs built with Visual C++ 2015 and 2017 also. However, installing the Visual C++ 2015 Redistributable will not replace the newer versions of the files installed by the Visual C++ 2015-2019 Redistributable.
This is different from all previous Visual C++ versions, as they each had their own distinct runtime files, not shared with other versions.
VS16, VC14 and VC15 are backward compatible.
VS16 is backward compatible to VC15/14 and VC15 backward to VC14. That means for example, a VC15/14 module can be used inside a VS16 binary (for example PHP VC15/14 as module).
When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Control Web Panel) and CWP (Control Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Control Web Panel) and CWP (Control Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Control Web Panel) and CWP (Control Web Panel) PRO release,
updating Apache to the latest version of Apache v2.4.43 which was released on 31 March, 2020 as GA.
This is the official changelog link for Apache v2.4.43: https://www.apachelounge.com/Changelog-2.4.html
31-March-2020 Changes with Apache v2.4.43 - GA
Apache Lounge changes:
- Upgraded OpenSSL to 1.1.1f from 1.1.1e (Changelog)
ASF changes:
- SECURITY: CVE-2020-1934 (cve.mitre.org)
mod_proxy_ftp: Use of uninitialized value with malicious backend FTP server. [Eric Covener]
- SECURITY: CVE-2020-1927 (cve.mitre.org)
rewrite, core: Set PCRE_DOTALL flag by default to avoid unpredictable matches and substitutions with encoded line break
characters.
The fix for CVE-2019-10098 was not effective. [Ruediger Pluem]
- mod_ssl: Fix memory leak of OCSP stapling response. [Yann Ylavic]
This is the official announcement link for Apache v2.4.43: https://www.apachelounge.com/viewtopic.php?p=38973
Apache httpd 2.4.43 is released as GA.
ASF and Apachelounge changes : https://www.apachelounge.com/Changelog-2.4.html
Attention for mod_md new features and changes listed at 2.4.42 in the change log (2.4.42 was not released).
Documentation: http://httpd.apache.org/docs/2.4/
Build with dependencies:
- openssl 1.1.1f
- nghttp2 1.40.0
- jansson 2.12
- curl 7.69.1
- apr 1.7.0
- apr-util 1.6.1
- apr-iconv 1.2.2
- zlib 1.2.11
- brotli 1.0.7
- pcre 8.44
- libxml2 2.9.10
- lua 5.2.4
- expat 2.2.9
Why we have a VS16 now
Maybe you noticed that we call Visual Studio C++ 2019 VS16 instead of VC16. In consultation with the PHP team we both now going to use VS16. VS16 is the version number of Visual Studio 2019.
The reason is, that VC15 is already a fictional identity, as the real VC++ version is 14.1, as you know. The new default one is now 14.2 still, not 16. Also, the version numbers move a lot faster now that in versions before VS2015. Thus, it turns out better to refer to the Visual Studio version and it's default toolset, than trying to catch up with the VC++ version which became unpredictable. Back in time, we've started to build with a preview of VS2017, which was indeed VC15, but after the GA release the version has been changed to 14.1, where we didn't catch up.
One Redistributable for VC14, VC15 and VS16
For VC14, VC15 and VS16 there is now only one Redistributable, called Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 and 2019
When you have already installed the VC14 and/or VC15 Redistributable. Then after install of the new, the Redistributable VC14/15 is updated from 14.0x.xx/14.1x.xx to the new one 14.2x.xx , it is called Microsoft Visual C++ 2015-2019 Redistributable and you can still use VC15/14.
Note from Microsoft: Visual C++ 2015, 2017 and 2019 all share the same redistributable files.
For example, installing the Visual C++ 2015-2019 Redistributable will affect programs built with Visual C++ 2015 and 2017 also. However, installing the Visual C++ 2015 Redistributable will not replace the newer versions of the files installed by the Visual C++ 2015-2019 Redistributable.
This is different from all previous Visual C++ versions, as they each had their own distinct runtime files, not shared with other versions.
VS16, VC14 and VC15 are backward compatible.
VS16 is backward compatible to VC15/14 and VC15 backward to VC14. That means for example, a VC15/14 module can be used inside a VS16 binary (for example PHP VC15/14 as module).
When you have hangs, slow traffic and/or when having in your log entries like Asynchronous AcceptEx failed. You can try the following settings:
AcceptFilter http none
AcceptFilter https none
EnableSendfile off
EnableMMAP off
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Control Web Panel) and CWP (Control Web Panel) PRO !
Thanks in advance for the support.
6
Updates / Update PHP-FPM and his selector to latest and stable PHP v7.3.16 for CWP PRO!
« on: March 20, 2020, 08:00:01 PM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.3.16 which was released on 19 March, 2020.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.3.16 which was released on 19 March, 2020.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
7
Updates / Update PHP-FPM and his selector to the latest and stable PHP v7.4.4 for CWP PRO!
« on: March 20, 2020, 07:57:20 PM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.4 which was released on 19 March, 2020.
Also consider that the first stable release of PHP v7.4.0 has been released on 28 November 2019 so almost about 4 months ago !
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.4 which was released on 19 March, 2020.
Also consider that the first stable release of PHP v7.4.0 has been released on 28 November 2019 so almost about 4 months ago !
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
8
Updates / Update obsolete phpMyAdmin v4.7.9 to latest phpMyAdmin v5.0.1 for CWP & CWP PRO!
« on: March 20, 2020, 02:44:11 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating phpMyAdmin to the latest version of phpMyAdmin v5.0.1 which was released on 08 January, 2020.
If you use this command sh /scripts/mysql_phpmyadmin_update the result is that an obsolete version of phpMyAdmin is installed for CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO which is phpMyAdmin v4.7.9 which was released on 05 March, 2018.
NOTE FROM PHPMYADMIN DEVELOPER:
This is a reminder that phpMyAdmin 4.9.3 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.
This is the official changelog link for phpMyAdmin v5.0.1: https://www.phpmyadmin.net/files/5.0.1/
Welcome to the release of phpMyAdmin version 5.0.1. This is fixes an important security flaw as well as containing several other bug fixes.
The two most notable fixes:
* Issue #15724 regarding two-factor authentication
* PMASA-2020-1 which is an SQL injection vulnerability in the user accounts page
There are several other bugs fixes, please see the ChangeLog file included with this release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v5.0.0: https://www.phpmyadmin.net/files/5.0.0/
Welcome to the release of phpMyAdmin version 5.0.0.
This release includes many new features and improvements from the 4.9 series. We expect to maintain version 4 in a security capacity
to support users with older PHP installations. For full details about supported versions and end of life dates, see the "Supported versions"
grid at .
With this release, we are removing support of old PHP versions (5.5, 5.6, 7.0, and HHVM). These versions are outdated and are no longer supported by the PHP team.
Version 5.0 includes many coding improvements that modernize the interface. Many of these changes are transparent to users, but make the code easier to maintain.
Much of this refactoring work is completed by our contract developer, Maurício Meneghini Fauth. We always consider applications for new (paid) contract developers,
see for program details.
Some of the changes and new features include:
- Enable columns names by default for CSV exports
- Add Metro theme
- Automatically add the index when creating an auto increment column
- Improvements to exporting views
- Prompt the user for confirmation before running an UPDATE query with no WHERE clause
- Improvements to how errors are show to the user (including allowing easier copying of the error text to the clipboard)
- Added keystrokes to clear the line (ctrl+l) and clear the entire console window (ctrl+u)
- Use charset 'windows-1252' when export format is MS Excel
There are several more changes, please refer to the ChangeLog file included with the release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/
Our work would not be possible without the donations of our generous sponsor, and this release in particular is brought to you thanks to the hard work of our Google Summer of Code students and many other contributors.
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v4.9.4: https://www.phpmyadmin.net/files/4.9.4/
Welcome to the release of phpMyAdmin version 4.9.4. This is a security release and also contains a fix for a problem with two-factor authentication
that was introduced in version 4.9.3.
Changes this version:
- Issue #15724 regarding two-factor authentication
- PMASA-2020-1 which is an SQL injection vulnerability in the user accounts page
This is a reminder that phpMyAdmin 4.9.3 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v4.9.3: https://www.phpmyadmin.net/files/4.9.3/
Welcome to phpMyAdmin 4.9.3, a routine bugfix release.
This is planned as the final bugfix release of phpMyAdmin version 4. Version 4 works with PHP versions 5.5 through (at least) 7.4,
and MySQL versions 5.5 and newer (and the corresponding MariaDB versions). Version 5 will require PHP 7.1 or newer, but
we plan to maintain security fixes for version 4 as part of our LTS program. For end of life details and supported
versions, please see the "Supported versions" grid at .
This release includes fixes for many bugs, including:
- Several PHP notices and warnings including "Undefined index table_create_time,"
a notice about error_reporting() being disabled for security reasons, and several Undefined Index errors.
- Support CloudFront-Forwarded-Proto header for Amazon CloudFront proxy
- Early compatibility with development versions of PHP 8
- Fix replication actions (start, stop, etc)
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
For full details, you can see the ChangeLog file included with this release.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.2: https://www.phpmyadmin.net/files/4.9.2/
Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.
This security fix is part of an ongoing effort to improve the security of the Designer feature.
There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.
This release includes fixes for many bugs, including:
- Fixes for the "Failed to set session cookie" error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
- Fix for Advisor with MySQL 8.0.3 and newer
- Fix PHP deprecation errors
- Fix a situation where exporting users after a delete query could remove users
- Fix incorrect "You do not have privileges to manipulate with the users!" warning
- Fix copying a database's privileges and several other problems moving columns with MariaDB
- Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.1: https://www.phpmyadmin.net/files/4.9.1/
Welcome to phpMyAdmin 4.9.1, a bugfix release.
This is a regularly-schedule bugfix release that also includes some security hardening measures.
We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.
This release includes fixes for many bugs, including:
- Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13 and newer
- Compatibility issues with PHP 8
- Export of GIS visualization
- Enhanced descriptions for several collation types
- Creating a user with a single quote in the password string
- Unexpected quotes during import and export on text fields
- Improvements to adding new tables to Designer
- Fix an issue where an authenticated user could trigger heavy traffic between the database server and web server
- Fix a weakness where an attacker, under certain conditions, working at the same time as an administrator is using the setup script, could delete a server from the setup script
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0.1: https://www.phpmyadmin.net/files/4.9.0.1/
Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0: https://www.phpmyadmin.net/files/4.9.0/
Welcome to phpMyAdmin 4.9.0, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.5: https://www.phpmyadmin.net/files/4.8.5/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
* SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Export to SQL format not available
* QR code not shown when adding two-factor authentication to a user account
* Issue with adding a new user in MySQL 8.0.11 and newer
* Frozen interface relating to Text_Plain_Sql plugin
* Table level Operations tab was missing
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.4: https://www.phpmyadmin.net/files/4.8.4/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with this release.
Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it's beneficial to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.3: https://www.phpmyadmin.net/files/4.8.3/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.
A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* An error where a database is named 0
* Fix for NULL as default not being shown
* Fix for recent tables list
* Fix for slow performance with table filtering
* Two-factor authentication (2FA) fails if the GD PHP library is missing
* Event scheduler toggle does not work
* ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
* PHP 7.3 warning: "continue" in "switch" is equal to "break"
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.2: https://www.phpmyadmin.net/files/4.8.2/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains an important security update and it is highly recommended that all users upgrade immediately.
The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement .
A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature .
In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:
* WHERE 0 clause causes a fatal error
* Fix missing "INDEX" icon
Downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.1: https://www.phpmyadmin.net/files/4.8.1/
This is the official changelog link for phpMyAdmin v4.8.0.1: https://www.phpmyadmin.net/files/4.8.0.1/
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating phpMyAdmin to the latest version of phpMyAdmin v5.0.1 which was released on 08 January, 2020.
If you use this command sh /scripts/mysql_phpmyadmin_update the result is that an obsolete version of phpMyAdmin is installed for CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO which is phpMyAdmin v4.7.9 which was released on 05 March, 2018.
NOTE FROM PHPMYADMIN DEVELOPER:
This is a reminder that phpMyAdmin 4.9.3 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.
This is the official changelog link for phpMyAdmin v5.0.1: https://www.phpmyadmin.net/files/5.0.1/
Welcome to the release of phpMyAdmin version 5.0.1. This is fixes an important security flaw as well as containing several other bug fixes.
The two most notable fixes:
* Issue #15724 regarding two-factor authentication
* PMASA-2020-1 which is an SQL injection vulnerability in the user accounts page
There are several other bugs fixes, please see the ChangeLog file included with this release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v5.0.0: https://www.phpmyadmin.net/files/5.0.0/
Welcome to the release of phpMyAdmin version 5.0.0.
This release includes many new features and improvements from the 4.9 series. We expect to maintain version 4 in a security capacity
to support users with older PHP installations. For full details about supported versions and end of life dates, see the "Supported versions"
grid at .
With this release, we are removing support of old PHP versions (5.5, 5.6, 7.0, and HHVM). These versions are outdated and are no longer supported by the PHP team.
Version 5.0 includes many coding improvements that modernize the interface. Many of these changes are transparent to users, but make the code easier to maintain.
Much of this refactoring work is completed by our contract developer, Maurício Meneghini Fauth. We always consider applications for new (paid) contract developers,
see for program details.
Some of the changes and new features include:
- Enable columns names by default for CSV exports
- Add Metro theme
- Automatically add the index when creating an auto increment column
- Improvements to exporting views
- Prompt the user for confirmation before running an UPDATE query with no WHERE clause
- Improvements to how errors are show to the user (including allowing easier copying of the error text to the clipboard)
- Added keystrokes to clear the line (ctrl+l) and clear the entire console window (ctrl+u)
- Use charset 'windows-1252' when export format is MS Excel
There are several more changes, please refer to the ChangeLog file included with the release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/
Our work would not be possible without the donations of our generous sponsor, and this release in particular is brought to you thanks to the hard work of our Google Summer of Code students and many other contributors.
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v4.9.4: https://www.phpmyadmin.net/files/4.9.4/
Welcome to the release of phpMyAdmin version 4.9.4. This is a security release and also contains a fix for a problem with two-factor authentication
that was introduced in version 4.9.3.
Changes this version:
- Issue #15724 regarding two-factor authentication
- PMASA-2020-1 which is an SQL injection vulnerability in the user accounts page
This is a reminder that phpMyAdmin 4.9.3 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team,
Isaac
This is the official changelog link for phpMyAdmin v4.9.3: https://www.phpmyadmin.net/files/4.9.3/
Welcome to phpMyAdmin 4.9.3, a routine bugfix release.
This is planned as the final bugfix release of phpMyAdmin version 4. Version 4 works with PHP versions 5.5 through (at least) 7.4,
and MySQL versions 5.5 and newer (and the corresponding MariaDB versions). Version 5 will require PHP 7.1 or newer, but
we plan to maintain security fixes for version 4 as part of our LTS program. For end of life details and supported
versions, please see the "Supported versions" grid at .
This release includes fixes for many bugs, including:
- Several PHP notices and warnings including "Undefined index table_create_time,"
a notice about error_reporting() being disabled for security reasons, and several Undefined Index errors.
- Support CloudFront-Forwarded-Proto header for Amazon CloudFront proxy
- Early compatibility with development versions of PHP 8
- Fix replication actions (start, stop, etc)
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
For full details, you can see the ChangeLog file included with this release.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.2: https://www.phpmyadmin.net/files/4.9.2/
Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.
This security fix is part of an ongoing effort to improve the security of the Designer feature.
There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.
This release includes fixes for many bugs, including:
- Fixes for the "Failed to set session cookie" error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
- Fix for Advisor with MySQL 8.0.3 and newer
- Fix PHP deprecation errors
- Fix a situation where exporting users after a delete query could remove users
- Fix incorrect "You do not have privileges to manipulate with the users!" warning
- Fix copying a database's privileges and several other problems moving columns with MariaDB
- Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.1: https://www.phpmyadmin.net/files/4.9.1/
Welcome to phpMyAdmin 4.9.1, a bugfix release.
This is a regularly-schedule bugfix release that also includes some security hardening measures.
We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.
This release includes fixes for many bugs, including:
- Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13 and newer
- Compatibility issues with PHP 8
- Export of GIS visualization
- Enhanced descriptions for several collation types
- Creating a user with a single quote in the password string
- Unexpected quotes during import and export on text fields
- Improvements to adding new tables to Designer
- Fix an issue where an authenticated user could trigger heavy traffic between the database server and web server
- Fix a weakness where an attacker, under certain conditions, working at the same time as an administrator is using the setup script, could delete a server from the setup script
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0.1: https://www.phpmyadmin.net/files/4.9.0.1/
Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0: https://www.phpmyadmin.net/files/4.9.0/
Welcome to phpMyAdmin 4.9.0, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.5: https://www.phpmyadmin.net/files/4.8.5/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
* SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Export to SQL format not available
* QR code not shown when adding two-factor authentication to a user account
* Issue with adding a new user in MySQL 8.0.11 and newer
* Frozen interface relating to Text_Plain_Sql plugin
* Table level Operations tab was missing
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.4: https://www.phpmyadmin.net/files/4.8.4/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with this release.
Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it's beneficial to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.3: https://www.phpmyadmin.net/files/4.8.3/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.
A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* An error where a database is named 0
* Fix for NULL as default not being shown
* Fix for recent tables list
* Fix for slow performance with table filtering
* Two-factor authentication (2FA) fails if the GD PHP library is missing
* Event scheduler toggle does not work
* ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
* PHP 7.3 warning: "continue" in "switch" is equal to "break"
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.2: https://www.phpmyadmin.net/files/4.8.2/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains an important security update and it is highly recommended that all users upgrade immediately.
The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement .
A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature .
In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:
* WHERE 0 clause causes a fatal error
* Fix missing "INDEX" icon
Downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.1: https://www.phpmyadmin.net/files/4.8.1/
This is the official changelog link for phpMyAdmin v4.8.0.1: https://www.phpmyadmin.net/files/4.8.0.1/
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
9
Nginx / NGINX Ultimate Bad Bot Blocker for CWP and CWP PRO !
« on: December 29, 2019, 10:44:02 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Having said that, i ask you to consider the implementation in CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO of NGINX Ultimate Bad Bot Blocker for security purpouse.
This is the official link of NGINX Ultimate Bad Bot Blocker: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
Tested and Work On:
nginx version: nginx/1.10.x ✔️
nginx version: nginx/1.16.1 ✔️
nginx version: nginx/1.15.8 ✔️
nginx version: nginx/1.17.7 ✔️
This security tools block this:
NGINX Ultimate Bad Bot Blocker Version: V4.2019.12.1919
- Bad Referrers Blocked: 6804
- Bad User-Agents (Bots) Blocked: 562
- Fake Googlebots Blocked: 217
... and plus more ...
The Ultimate NGINX (1.10.x > 1.17.7+) Bad Bot, User-Agent, Spam Referrer Blocker, Adware, Malware and Ransomware Blocker, Clickjacking Blocker, Click Re-Directing Blocker, SEO Companies and Bad IP Blocker with Anti DDOS System, Nginx Rate Limiting and Wordpress Theme Detector Blocking. Stop and Block all kinds of bad internet traffic from ever reaching your web sites.
PLEASE SEE - Definition of Bad Bots:
Bad bots are:
Bad Referrers
Bad User-Agent Strings
Spam Referrers
Spam Bots and Bad Bots
Nuisance or Unwanted Bots
Sites Linked to Lucrative Malware, Adware and Ransomware Clickjacking Campaigns
Vulnerability scanners
Gambling and Porn Web Sites
E-mail harvesters
Content scrapers
Link Ranking Bots
Aggressive bots that scrape content
Image Hotlinking Sites and Image Thieves
Bots or Servers linked to viruses or malware
Government surveillance bots
Botnet Attack Networks (Mirai)
Known Wordpress Theme Detectors (Updated Regularly)
SEO companies that your competitors use to try improve their SEO
Link Research and Backlink Testing Tools
Stopping Google Analytics Ghost Spam
Browser Adware and Malware (Yontoo etc)
(Over 4000 bad referers, spam referrers, user-agents, bad bots, bad IP's, porn, gambling and clickjacking sites, lucrative seo companies, wordpress theme detectors and counting).
Includes the creation of a google-exclude.txt file for creating filters / segments in Google Analytics.
Includes the creation of a google-disallow.txt file for use in Google Webmaster Tools.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Having said that, i ask you to consider the implementation in CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO of NGINX Ultimate Bad Bot Blocker for security purpouse.
This is the official link of NGINX Ultimate Bad Bot Blocker: https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker
Tested and Work On:
nginx version: nginx/1.10.x ✔️
nginx version: nginx/1.16.1 ✔️
nginx version: nginx/1.15.8 ✔️
nginx version: nginx/1.17.7 ✔️
This security tools block this:
NGINX Ultimate Bad Bot Blocker Version: V4.2019.12.1919
- Bad Referrers Blocked: 6804
- Bad User-Agents (Bots) Blocked: 562
- Fake Googlebots Blocked: 217
... and plus more ...
The Ultimate NGINX (1.10.x > 1.17.7+) Bad Bot, User-Agent, Spam Referrer Blocker, Adware, Malware and Ransomware Blocker, Clickjacking Blocker, Click Re-Directing Blocker, SEO Companies and Bad IP Blocker with Anti DDOS System, Nginx Rate Limiting and Wordpress Theme Detector Blocking. Stop and Block all kinds of bad internet traffic from ever reaching your web sites.
PLEASE SEE - Definition of Bad Bots:
Bad bots are:
Bad Referrers
Bad User-Agent Strings
Spam Referrers
Spam Bots and Bad Bots
Nuisance or Unwanted Bots
Sites Linked to Lucrative Malware, Adware and Ransomware Clickjacking Campaigns
Vulnerability scanners
Gambling and Porn Web Sites
E-mail harvesters
Content scrapers
Link Ranking Bots
Aggressive bots that scrape content
Image Hotlinking Sites and Image Thieves
Bots or Servers linked to viruses or malware
Government surveillance bots
Botnet Attack Networks (Mirai)
Known Wordpress Theme Detectors (Updated Regularly)
SEO companies that your competitors use to try improve their SEO
Link Research and Backlink Testing Tools
Stopping Google Analytics Ghost Spam
Browser Adware and Malware (Yontoo etc)
(Over 4000 bad referers, spam referrers, user-agents, bad bots, bad IP's, porn, gambling and clickjacking sites, lucrative seo companies, wordpress theme detectors and counting).
Includes the creation of a google-exclude.txt file for creating filters / segments in Google Analytics.
Includes the creation of a google-disallow.txt file for use in Google Webmaster Tools.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
10
Varnish / Update Varnish v5.2.1 to the latest Varnish v6.3.1 for CWP and CWP PRO !
« on: December 28, 2019, 10:13:36 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, please update Varnish HTTP Cache v5.2.1 outdated version released over 2 years ago on 14 November 2017 to the latest version of Varnish HTTP Cache v6.3.1 which was released on 21 October, 2019 for CWP (Centos Web Panel) and CWP PRO (Centos Web Panel Pro) for Centos 7 !
This is the official link for this latest and stable release of Varnish HTTP Cache v6.3.1:
https://github.com/varnishcache/varnish-cache/releases/tag/varnish-6.3.1
This is the official link for the changelog of this latest and stable release of Varnish HTTP Cache v6.3.1:
https://github.com/varnishcache/varnish-cache/blob/6.3/doc/changes.rst
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, please update Varnish HTTP Cache v5.2.1 outdated version released over 2 years ago on 14 November 2017 to the latest version of Varnish HTTP Cache v6.3.1 which was released on 21 October, 2019 for CWP (Centos Web Panel) and CWP PRO (Centos Web Panel Pro) for Centos 7 !
This is the official link for this latest and stable release of Varnish HTTP Cache v6.3.1:
https://github.com/varnishcache/varnish-cache/releases/tag/varnish-6.3.1
This is the official link for the changelog of this latest and stable release of Varnish HTTP Cache v6.3.1:
https://github.com/varnishcache/varnish-cache/blob/6.3/doc/changes.rst
Thanks in advance for the support.
11
Updates / Update MySQLTuner v1.7.9 to the latest MySQLTuner v1.7.19 for CWP and CWP PRO !
« on: December 28, 2019, 01:05:19 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating MySQLTuner v1.7.9 to the latest version of MySQLTuner v1.7.19
This is the official link of the latest and stable MySQLTuner v1.7.19
https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
Thanks in advance for the support.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating MySQLTuner v1.7.9 to the latest version of MySQLTuner v1.7.19
This is the official link of the latest and stable MySQLTuner v1.7.19
https://raw.githubusercontent.com/major/MySQLTuner-perl/master/mysqltuner.pl
Thanks in advance for the support.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
12
PHP / CWP PRO - PHP FPM update to v7.3.13 failed: [: -ge: unary operator expected ...
« on: December 19, 2019, 01:19:12 PM »
Hi,
With new CWP PRO (Centos Web Panel Pro) v0.9.8.924 there is the possibility to upgrade to PHP-FPM v7.3.13 but unfortunately the upgrade does not work and returns this error:
[: -ge: unary operator expected
Failed to Download PHP version 7.3.13!
Please help me to solve this problem.
Thanks in advance for the support.
With new CWP PRO (Centos Web Panel Pro) v0.9.8.924 there is the possibility to upgrade to PHP-FPM v7.3.13 but unfortunately the upgrade does not work and returns this error:
[: -ge: unary operator expected
Failed to Download PHP version 7.3.13!
Please help me to solve this problem.
Thanks in advance for the support.
13
PHP Selector / Update PHP-FPM and his selector to the latest and stable PHP v7.4.1 for CWP PRO!
« on: December 18, 2019, 12:04:52 PM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.1 which was released on 19 December, 2019.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.1 which was released on 19 December, 2019.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
14
Updates / Update phpMyAdmin to the latest phpMyAdmin v4.9.2 for CWP and CWP PRO !
« on: December 12, 2019, 11:14:08 AM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating phpMyAdmin to the latest version of phpMyAdmin v4.9.2 which was released on 22 November, 2019.
If you use this command sh /scripts/mysql_phpmyadmin_update the result is that an obsolete version of phpMyAdmin is installed for CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO which is phpMyAdmin v4.7.9 which was released on 05 March, 2018.
This is the official changelog link for phpMyAdmin v4.9.2: https://www.phpmyadmin.net/files/4.9.2/
Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.
This security fix is part of an ongoing effort to improve the security of the Designer feature.
There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.
This release includes fixes for many bugs, including:
- Fixes for the "Failed to set session cookie" error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
- Fix for Advisor with MySQL 8.0.3 and newer
- Fix PHP deprecation errors
- Fix a situation where exporting users after a delete query could remove users
- Fix incorrect "You do not have privileges to manipulate with the users!" warning
- Fix copying a database's privileges and several other problems moving columns with MariaDB
- Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.1: https://www.phpmyadmin.net/files/4.9.1/
Welcome to phpMyAdmin 4.9.1, a bugfix release.
This is a regularly-schedule bugfix release that also includes some security hardening measures.
We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.
This release includes fixes for many bugs, including:
- Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13 and newer
- Compatibility issues with PHP 8
- Export of GIS visualization
- Enhanced descriptions for several collation types
- Creating a user with a single quote in the password string
- Unexpected quotes during import and export on text fields
- Improvements to adding new tables to Designer
- Fix an issue where an authenticated user could trigger heavy traffic between the database server and web server
- Fix a weakness where an attacker, under certain conditions, working at the same time as an administrator is using the setup script, could delete a server from the setup script
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0.1: https://www.phpmyadmin.net/files/4.9.0.1/
Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0: https://www.phpmyadmin.net/files/4.9.0/
Welcome to phpMyAdmin 4.9.0, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.5: https://www.phpmyadmin.net/files/4.8.5/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
* SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Export to SQL format not available
* QR code not shown when adding two-factor authentication to a user account
* Issue with adding a new user in MySQL 8.0.11 and newer
* Frozen interface relating to Text_Plain_Sql plugin
* Table level Operations tab was missing
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.4: https://www.phpmyadmin.net/files/4.8.4/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with this release.
Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it's beneficial to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.3: https://www.phpmyadmin.net/files/4.8.3/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.
A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* An error where a database is named 0
* Fix for NULL as default not being shown
* Fix for recent tables list
* Fix for slow performance with table filtering
* Two-factor authentication (2FA) fails if the GD PHP library is missing
* Event scheduler toggle does not work
* ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
* PHP 7.3 warning: "continue" in "switch" is equal to "break"
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.2: https://www.phpmyadmin.net/files/4.8.2/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains an important security update and it is highly recommended that all users upgrade immediately.
The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement .
A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature .
In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:
* WHERE 0 clause causes a fatal error
* Fix missing "INDEX" icon
Downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.1: https://www.phpmyadmin.net/files/4.8.1/
Welcome to phpMyAdmin 4.8.1, a bug fix release.
A complete list of changes and bugs fixed is available from the ChangeLog file or changelog.php included with this release.
A few highlights of bugs fixed include:
* Fix to the scrollbar functionality and Browse table CSS overflow
* Dropping indexes and keys fails
* Show two factor (2FA) secret code next to QR image
* Configuration for DefaultLang and Lang
* MariaDB 10.2 'current_timestamp()'
* Remember table sorting is broken
Known issues:
* Unable to log in with MySQL 8.0.11 (bug #14220, see also https://bugs.php.net/bug.php?id=76243)
* A few users have reported being unable to log in with a persistent error message
"Failed to set session cookie. Maybe you are using HTTP instead of HTTPS". In some cases, clearing
the phpMyAdmin cookies ('pma*') resolves the issue.
As always, downloads are available from https://www.phpmyadmin.net
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.0.1: https://www.phpmyadmin.net/files/4.8.0.1/
Welcome to phpMyAdmin 4.8.0.1, which fixes a security flaw found in phpMyAdmin.
This version fixes a security flaw found in version 4.8.0 where an attacker can manipulate
a user in to following a specially-crafted link, allowing the attacker to execute arbitrary
SQL commands on the server. For more information, please see
We recommend that all users upgrade.
The phpMyAdmin Team
This is the official changelog link for phpMyAdmin v4.8.0: https://www.phpmyadmin.net/files/4.8.0/
Welcome to phpMyAdmin version 4.8.0. We are excited to bring you this updated version with many new features and bug fixes. There are no changes to system requirements.
A complete list of new features and bugs that have been fixed is available in the ChangeLog file or changelog.php included with this release.
Major changes include security enhancements such as removing the PHP eval() function and authentication logging, a mobile interface to improve the interface when used with tablets or mobile phones, and two-factor authentication options.
A few highlights of the changes include:
* Allow the removal of individual segments from pie charts
* Improved database search to allow matching the exact phrase
* phpMyAdmin no longer requires using the PHP eval() function
* The mbstring dependency is now optional
* Authentication logging using $cfg['AuthLog']
* Add support for Google's Invisible Captcha
* Improved handling of reCAPTCHA
* Fixes to the JavaScript editor for TIME values
* Improved the editor for the JSON data type
* Add "Format" button to the edit view form
* Implement mobile interface
* There are now configuration directives to set defaults for Transformation options
* Allow Designer to show tables from other databases
* Add support for authentication using U2F and 2FA
* Designer: fix broken "Add tables from other database"
* Fix double escaping of ENUM dropdown
* Restore SQL query after session expires
* Query builder: Fix for new column not being added
* Fix for blank login page
* Changes to the handling of arg_separator for AJAX requests; see issue #13940
* Structure tab: fix silent failure to create new indexes
* Fix improperly escaped HTML code on the database structure page
* Fix JavaScript errors when using Internet Explorer (in particular when editing rows)
* Fix for broken error report
* Fix failed import
* Fix for "Cannot read property sql_query of undefined" errors
Much of this work is thanks to the hard work of our Google Summer of Code 2017 students.
Additionally, there have been continuous improvements to many of the translations. If you don't see your language or find a problem, you can contribute too; see for details.
As always, downloads are available at https://www.phpmyadmin.net
Thanks to our sponsors for helping to make this work possible!
The phpMyAdmin Team
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO release,
updating phpMyAdmin to the latest version of phpMyAdmin v4.9.2 which was released on 22 November, 2019.
If you use this command sh /scripts/mysql_phpmyadmin_update the result is that an obsolete version of phpMyAdmin is installed for CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO which is phpMyAdmin v4.7.9 which was released on 05 March, 2018.
This is the official changelog link for phpMyAdmin v4.9.2: https://www.phpmyadmin.net/files/4.9.2/
Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.
This security fix is part of an ongoing effort to improve the security of the Designer feature.
There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.
This release includes fixes for many bugs, including:
- Fixes for the "Failed to set session cookie" error which relates to the cookie name. In some cases, data stored in the cookie (such as the previously-used user account) may not be loaded from a previous phpMyAdmin cookie the first time you run version 4.9.2
- Fix for Advisor with MySQL 8.0.3 and newer
- Fix PHP deprecation errors
- Fix a situation where exporting users after a delete query could remove users
- Fix incorrect "You do not have privileges to manipulate with the users!" warning
- Fix copying a database's privileges and several other problems moving columns with MariaDB
- Fix for phpMyAdmin not selecting all the values when using shift-click to select during Export
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.1: https://www.phpmyadmin.net/files/4.9.1/
Welcome to phpMyAdmin 4.9.1, a bugfix release.
This is a regularly-schedule bugfix release that also includes some security hardening measures.
We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.
This release includes fixes for many bugs, including:
- Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13 and newer
- Compatibility issues with PHP 8
- Export of GIS visualization
- Enhanced descriptions for several collation types
- Creating a user with a single quote in the password string
- Unexpected quotes during import and export on text fields
- Improvements to adding new tables to Designer
- Fix an issue where an authenticated user could trigger heavy traffic between the database server and web server
- Fix a weakness where an attacker, under certain conditions, working at the same time as an administrator is using the setup script, could delete a server from the setup script
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0.1: https://www.phpmyadmin.net/files/4.9.0.1/
Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.9.0: https://www.phpmyadmin.net/files/4.9.0/
Welcome to phpMyAdmin 4.9.0, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
* PMASA-2019-3 is an SQL injection flaw in the Designer feature
* PMASA-2019-4 is a CSRF attack that's possible through the 'cookie' login form
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
This release also includes fixes for many bugs, including:
- Several issues with SYSTEM VERSIONING tables
- Fixed json encode error in export
- Fixed JavaScript events not activating on input (sql bookmark issue)
- Show Designer combo boxes when adding a constraint
- Fix edit view
- Fixed invalid default value for bit field
- Fix several errors relating to GIS data types
- Fixed javascript error PMA_messages is not defined
- Fixed import XML data with leading zeros
- Fixed php notice, added support for 'DELETE HISTORY' table privilege (MariaDB >= 10.3.4)
- Fixed MySQL 8.0.0 issues with GIS display
- Fixed "Server charset" in "Database server" tab showing wrong information
- Fixed can not copy user on Percona Server 5.7
- Updated sql-parser to version 4.3.2, which fixes several parsing and linting problems
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.5: https://www.phpmyadmin.net/files/4.8.5/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Arbitrary file read vulnerability (https://www.phpmyadmin.net/security/PMASA-2019-1)
* SQL injection in the Designer interface (https://www.phpmyadmin.net/security/PMASA-2019-2)
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Export to SQL format not available
* QR code not shown when adding two-factor authentication to a user account
* Issue with adding a new user in MySQL 8.0.11 and newer
* Frozen interface relating to Text_Plain_Sql plugin
* Table level Operations tab was missing
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.4: https://www.phpmyadmin.net/files/4.8.4/
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.4. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
* Local file inclusion (https://www.phpmyadmin.net/security/PMASA-2018-6/),
* XSRF/CSRF vulnerabilities allowing a specially-crafted URL to perform harmful operations (https://www.phpmyadmin.net/security/PMASA-2018-7/), and
* an XSS vulnerability in the navigation tree (https://www.phpmyadmin.net/security/PMASA-2018-8/)
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* Issue with changing theme
* Ensure that database names with a dot ('.') are handled properly when DisableIS is true
* Fix for message "Error while copying database (pma__column_info)"
* Move operation causes "SELECT * FROM `undefined`" error
* When logging with $cfg['AuthLog'] to syslog, successful login messages were not logged when $cfg['AuthLogSuccess'] was true
* Multiple errors and regressions with Designer
And several more. Complete notes are in the ChangeLog file included with this release.
Note that for this release, we experimented with a pre-release announcement so that hosting providers and package managers would have an opportunity to prepare for the security release. If this was helpful to you or if you have feedback about this technique, please let us know through the public list developers@phpmyadmin.net or privately at security@phpmyadmin.net. We may or may not decide use this behavior in the future and your feedback will help us decide whether it's beneficial to the community.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.3: https://www.phpmyadmin.net/files/4.8.3/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains a security fix for an issue that can be exploited when importing files.
A flaw was discovered with how warning messages are displayed while importing a file. This attack requires a specially-crafted file but can allow an attacker to trick the user in to executing a cross-site scripting (XSS) attack. We recommend updating immediately to mitigate this attack.
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
* An error where a database is named 0
* Fix for NULL as default not being shown
* Fix for recent tables list
* Fix for slow performance with table filtering
* Two-factor authentication (2FA) fails if the GD PHP library is missing
* Event scheduler toggle does not work
* ERR_BLOCKED_BY_XSS_AUDITOR error when exporting a table
* PHP 7.3 warning: "continue" in "switch" is equal to "break"
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.2: https://www.phpmyadmin.net/files/4.8.2/
The phpMyAdmin team is pleased to announce the release of phpMyAdmin version 4.8.2. Among other bug fixes, this contains an important security update and it is highly recommended that all users upgrade immediately.
The urgent vulnerability allows an authenticated attacker to exploit a phpMyAdmin feature to show and potentially execute files on the server. PHP open_basedir restrictions mitigate the effect of this flaw. For further details, see the PMASA announcement .
A second flaw was also fixed allowing an attacker to use a specially crafted database name to trick a user in to executing a cross-site scripting (XSS) attack in the Designer feature .
In addition to the security fixes, this release also includes these bug fixes as part of our regular release cycle:
* WHERE 0 clause causes a fatal error
* Fix missing "INDEX" icon
Downloads are available at https://www.phpmyadmin.net/downloads/
This is the official changelog link for phpMyAdmin v4.8.1: https://www.phpmyadmin.net/files/4.8.1/
Welcome to phpMyAdmin 4.8.1, a bug fix release.
A complete list of changes and bugs fixed is available from the ChangeLog file or changelog.php included with this release.
A few highlights of bugs fixed include:
* Fix to the scrollbar functionality and Browse table CSS overflow
* Dropping indexes and keys fails
* Show two factor (2FA) secret code next to QR image
* Configuration for DefaultLang and Lang
* MariaDB 10.2 'current_timestamp()'
* Remember table sorting is broken
Known issues:
* Unable to log in with MySQL 8.0.11 (bug #14220, see also https://bugs.php.net/bug.php?id=76243)
* A few users have reported being unable to log in with a persistent error message
"Failed to set session cookie. Maybe you are using HTTP instead of HTTPS". In some cases, clearing
the phpMyAdmin cookies ('pma*') resolves the issue.
As always, downloads are available from https://www.phpmyadmin.net
The phpMyAdmin team
This is the official changelog link for phpMyAdmin v4.8.0.1: https://www.phpmyadmin.net/files/4.8.0.1/
Welcome to phpMyAdmin 4.8.0.1, which fixes a security flaw found in phpMyAdmin.
This version fixes a security flaw found in version 4.8.0 where an attacker can manipulate
a user in to following a specially-crafted link, allowing the attacker to execute arbitrary
SQL commands on the server. For more information, please see
We recommend that all users upgrade.
The phpMyAdmin Team
This is the official changelog link for phpMyAdmin v4.8.0: https://www.phpmyadmin.net/files/4.8.0/
Welcome to phpMyAdmin version 4.8.0. We are excited to bring you this updated version with many new features and bug fixes. There are no changes to system requirements.
A complete list of new features and bugs that have been fixed is available in the ChangeLog file or changelog.php included with this release.
Major changes include security enhancements such as removing the PHP eval() function and authentication logging, a mobile interface to improve the interface when used with tablets or mobile phones, and two-factor authentication options.
A few highlights of the changes include:
* Allow the removal of individual segments from pie charts
* Improved database search to allow matching the exact phrase
* phpMyAdmin no longer requires using the PHP eval() function
* The mbstring dependency is now optional
* Authentication logging using $cfg['AuthLog']
* Add support for Google's Invisible Captcha
* Improved handling of reCAPTCHA
* Fixes to the JavaScript editor for TIME values
* Improved the editor for the JSON data type
* Add "Format" button to the edit view form
* Implement mobile interface
* There are now configuration directives to set defaults for Transformation options
* Allow Designer to show tables from other databases
* Add support for authentication using U2F and 2FA
* Designer: fix broken "Add tables from other database"
* Fix double escaping of ENUM dropdown
* Restore SQL query after session expires
* Query builder: Fix for new column not being added
* Fix for blank login page
* Changes to the handling of arg_separator for AJAX requests; see issue #13940
* Structure tab: fix silent failure to create new indexes
* Fix improperly escaped HTML code on the database structure page
* Fix JavaScript errors when using Internet Explorer (in particular when editing rows)
* Fix for broken error report
* Fix failed import
* Fix for "Cannot read property sql_query of undefined" errors
Much of this work is thanks to the hard work of our Google Summer of Code 2017 students.
Additionally, there have been continuous improvements to many of the translations. If you don't see your language or find a problem, you can contribute too; see for details.
As always, downloads are available at https://www.phpmyadmin.net
Thanks to our sponsors for helping to make this work possible!
The phpMyAdmin Team
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
15
PHP Selector / Update PHP-FPM and his selector to the latest and stable PHP v7.4.0 for CWP PRO!
« on: December 10, 2019, 10:16:45 PM »
Hi,
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.0 which was released on 28 November, 2019.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
First of all i wish to congratulate all the programmers of both CWP (Centos Web Panel) and CWP (Centos Web Panel) PRO for the excellent work they do and for the excellent product they have created, truly excellent from all points of view.
Congratulations also for the new and beautiful official website of CWP and CWP PRO https://control-webpanel.com/
Having said that, i ask you to consider from your next CWP (Centos Web Panel) PRO release,
updating PHP-FPM to the latest and stable version of PHP 7.4.0 which was released on 28 November, 2019.
I know you are always very busy developing CWP but i hope you can consider this suggestion of mine which i believe would be appreciated by all users of CWP (Centos Web Panel) PRO !
Thanks in advance for the support.
Pages: [1] 2