phpMyAdmin-4.9.7-bp152.2.6.1

- Update to 4.9.11
  This is a security and bugfix release.
  * Fix for boo#1208186 (CVE-2023-25727, PMASA-2023-1, CWE-661)
    XSS vulnerability in drag-and-drop upload
  - An XSS vulnerability has been discovered where an authenticated
    user can trigger an XSS attack by uploading a specially-crafted
    .sql file through the drag-and-drop interface.

- update changes file
  * fix missing bugzilla information

- Use system apache rpm macros

- phpMyAdmin 4.9.7:
  * Fix two factor authentication that was broken in 4.9.6
  * Fix incompatibilities with older PHP versions

- fix for boo#1170743
  phpMyAdmin installation wipes it's sysconfig apache_server_flag entry

- Don't expand @FQDN@ from /etc/HOSTNAME (this used to set
  $cfg['PmaAbsoluteUri'] parameter, but this variable is no longer
  in the config.sample.ini file)

- Drop python-devel BuildRequires: python2 is EOL and this seems
  unused.
- Drop xz BuildRequires: OBS takes care of unpacking the tarball.

- fix for boo#1092345
  * change ap_docroot from /srv/www/htdocs to /usr/share
    work is based on changes provided by ecsos@opensuse.org
    if phpMyAdmin.conf for apache was changed by local admin, we will
    create a backup and replace the original file with the new version
    sorry admins, but you need to apply your changes again
  * needed Alias /phpMyAdmin is an enabled APACHE_SERVER_FLAGS default
    for more info have a look into /etc/apache2/conf.d/phpMyAdmin.conf
- cleanup tmp/twig on
  * uninstall
  * ap_docroot change

- phpMyAdmin 4.9.7 (boo#1177842):
  * Fix two factor authentication that was broken in 4.9.6
  * Fix incompatibilities with older PHP versions

- Update to 4.9.6
    This is a security release.
- Fix boo#1177561 (CVE-2020-26934, PMASA-2020-5) XSS relating to
  the transformation feature
- Fix boo#1177562 (CVE-2020-26935, PMASA-2020-6) SQL injection
  vulnerability in SearchController

- Update to 4.9.5
  This is a security release containing several bug fixes.
  * CVE-2020-10804: SQL injection vulnerability in the user
    accounts page, particularly when changing a password
    (boo#1167335, PMASA-2020-2)
  * CVE-2020-10802: SQL injection vulnerability relating to the
    search feature (boo#1167336, PMASA-2020-3)
  * CVE-2020-10803: SQL injection and XSS having to do with
    displaying results (boo#1167337, PMASA-2020-4)
  * Removing of the "options" field for the external
    transformation.

- update to 4.9.4 (2020-01-07)
  * https://github.com/phpmyadmin/phpmyadmin/blob/RELEASE_4_9_4/ChangeLog
- fix for boo#1160456
  * PMASA-2020-1 (CVE-2020-5504, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2020-1/
  - SQL injection in user accounts page
- fix changes about corresponding PMASA

- phpMyAdmin 4.9.3
  * Several PHP notices and warnings including "Undefined index
    table_create_time," a notice about error_reporting() being
    disabled for security reasons, and several Undefined Index
    errors.
  * Support CloudFront-Forwarded-Proto header for Amazon CloudFront
    proxy
  * Early compatibility with development versions of PHP 8
  * Fix replication actions (start, stop, etc)

- phpMyAdmin 4.9.2:
  * CVE-2019-18622: SQL injection in Designer feature (PMASA-2019-5, boo#1157614)
  * Fixes for "Failed to set session cookie" error
  * Advisor with MySQL 8.0.3 and newer
  * Fix PHP deprecation errors
  * Fix a situation where exporting users after a delete query could
    remove users
  * Fix incorrect "You do not have privileges to manipulate with the
    users!" warning
  * Fix copying a database's privileges and several other problems
    moving columns with MariaDB
  * Fix for phpMyAdmin not selecting all the values when using
    shift-click to select during Export

- phpMyAdmin 4.9.1:
  * CVE-2019-12922: hardening against CSRF (no PMASA, boo#1150914)
  * Editing columns with CURRENT_TIMESTAMP for MySQL versions 8.0.13
    and newer
  * Compatibility issues with PHP 8
  * Export of GIS visualization
  * Enhanced descriptions for several collation types
  * Creating a user with a single quote in the password string
  * Unexpected quotes during import and export on text fields
  * Improvements to adding new tables to Designer
  * Fix an issue where an authenticated user could trigger heavy
    traffic between the database server and web server
  * Fix a weakness where an attacker, under certain conditions,
    working at the same time as an administrator is using the setup
    script, could delete a server from the setup script

- fix changelog
  * add missing boo# with relation to CVE and PMASA
- rebase phpMyAdmin-config.patch

- phpMyAdmin 4.9.0.1:
  * Several issues with SYSTEM VERSIONING tables
  * Fixed json encode error in export
  * Fixed JavaScript events not activating on input
    (sql bookmark issue)
  * Show Designer combo boxes when adding a constraint
  * Fix edit view
  * Fixed invalid default value for bit field
  * Fix several errors relating to GIS data types
  * Fixed javascript error PMA_messages is not defined
  * Fixed import XML data with leading zeros
  * Fixed php notice, added support for 'DELETE HISTORY' table
    privilege (MariaDB >= 10.3.4)
  * Fixed MySQL 8.0.0 issues with GIS display
  * Fixed "Server charset" in "Database server" tab showing wrong
    information
  * Fixed can not copy user on Percona Server 5.7
  * Updated sql-parser to version 4.3.2, which fixes several
    parsing and linting problems
- fix for boo#1137497
  * PMASA-2019-4 (CVE-2019-12616, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2019-4/
  - CSRF vulnerability in login form
- fix for boo#1137496
  * PMASA-2019-3 (CVE-2019-11768, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2019-3/
  - SQL injection in Designer feature

- phpMyAdmin 4.8.5:
  * CVE-2019-6799: Arbitrary file read vulnerability (PMASA-2019-1,
    bsc#1123272)
  * CVE-2019-6798: SQL injection in the Designer interface
    PMASA-2019-2, bsc#1123271)
  * Fix rxport to SQL format not available
  * Fix QR code not shown when adding two-factor authentication to
    a user account
  * Fix issue with adding a new user in MySQL 8.0.11 and newer
  * Fix frozen interface relating to Text_Plain_Sql plugin
  * Fix missing table level operations tab

- update to 4.8.4 (2018-12-11)
  - gh#14452 Remove hash param in edit query URL
  - gh#14295 Issue in Changing theme
  - gh#13267 Ensure that database names with '.' are handled
    properly when DisableIS is true
  - gh#14438 Invisible Icon "Show Full Queries"
  - gh#14133 CSS issue in Designer
  - gh#14447 Error while copying database (pma__column_info)
  - gh#14571 "No database selected" - DROP a view
  - gh#14636 Move operation causes SELECT * FROM `undefined`
  - gh#14630 Enum '0' produces incorrect search SQL
  - gh#14223 Fix TypeError in database designer
  - gh#13621 QBE selenium tests broken since merge of #13342
  - gh#14672 When logging with $cfg['AuthLog'] to syslog,
    successful login messages were not logged even if
    $cfg['AuthLogSuccess'] was true.
  - gh#14339 Fix infinite loop when sorting table rows by key.
  - gh#14658 Regression on multi table query functionality
    (foreign keys)
  - gh#14617 Fix designer errors when database is empty
  - gh#13032 Fix designer errors when database contains special
    chars
  - gh#14352 Fix designer javascript errors
  - gh#14764 Fix left/right icons hidden
- fix for boo#1119245
  - PMASA-2018-6 (CVE-2018-19968, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-6/
  - PMASA-2018-7 (CVE-2018-19969, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-7/
  - PMASA-2018-8 (CVE-2018-19970, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-8/

- update to 4.8.3 (2018-08-22)
  - gh#14314 Error when naming a database '0'
  - gh#14333 Fix NULL as default not shown
  - gh#14229 Fixes issue with recent table list
  - gh#14045 Fix slow performance on DB structure filtering
  - gh#14327 Fix Editing server variable not showing save or cancel
    option
  - gh#14377 Populate options for view create and edit
  - gh#14171 2FA configuration fails if PHP doesn't have GD support
  - gh#14390 Can't unhide tables
  - gh#14382 "Visualize GIS data" icon missing
  - gh#14435 Event scheduler status toggle doesn't work
  - gh#14365 View not working on multiple servers
  - gh#14207 Partition actions in table structure do not work
  - gh#14375 Fixes ERR_BLOCKED_BY_XSS_AUDITOR on export table
  - gh#14552 Blank message shown instead of MySQL error when adding
    trigger and other locations
  - gh#14525 Fix PHP 7.3 warning: "continue" in "switch" is equal
    to "break"
  - gh#14554 Icon missing when creating a new trigger, routine,
    and event
  - gh#14422 Table comment not showing since 4.8.1
  - gh#14426 Drop table doesn't work when you copy tables to
    another database
  - gh#14581 Escaped HTML in 'Add a new server' setup
  - gh#14548 [security] HTML injection in import warning messages,
    see PMASA-2018-5
- fix for boo#1105726
  - PMASA-2018-5 (CVE-2018-15605, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-5/

- fix for boo#1103305
  * add missing dependency for php-ctype

- update to 4.8.2 (2018-06-21)
  * issue #14370 WHERE 0 causes Fatal error
  * issue #14225 Fix missing index icon
- fix for boo#1098752
  * PMASA-2018-3 (CVE-2018-12581, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-3/
  - XSS in Designer feature
- fix for boo#1098751
  * PMASA-2018-4 (CVE-2018-12613, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-4/
  - File inclusion and remote code execution attack
- some minor changelog fixes about security fix entries

- update to 4.8.1 (2018-05-25)
  * gh#12772 Fix case where the central columns attributes don't
    get filled in
  * gh#14049 Fix case where the query builder doesn't work when
    selected column is *
  * gh#14029 Revert "Browse" table CSS overflow
  * gh#14241 Dropping indexes and foreign keys fail
  * gh#14227 Relational linking broken
  * gh#14246 Fixed error in configuration storage zero config
  * gh#14128 Show 2FA Secret next to QR code
  * gh#14212 XML Export from single table throws fatal error
  * gh#14239 Line and some other charts ignore result set order of
    values chosen for the x-axis
  * gh#14260 Fixed configuration for DefaultLang and Lang
  * gh#14264 Linking for 'Distinct values' broken
  * gh#13968 Fix MariaDB 10.2 current_timestamp()
  * gh#14249 Fix for missing go button in view edit
  * gh#14125 Fix for issues with spatial fields
  * gh#14189 Remember table's sorting broken
  * gh#14289 Fix multi-column sorting
  * gh#14278 Fix central columns in-line edit bug
  * gh#14066 Fix AUTO_INCREMENT error when only exporting table
    structure in database-level exports
  * gh#13893 Simulating queries produces unexpected results
  * gh#14309 Setup script icons missing

- update to 4.8.0.1 (2018-04-19)
- fix for boo#1090309
  * PMASA-2018-2 (CVE-2018-10188, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-2/
  - Multiple CSRF vulnerabilities

- fix wrong require /usr/bin/bash to /bin/bash so phpMyAdmin could
  install
- insert missing templates dir in htaccess
  See https://docs.phpmyadmin.net/de/latest/setup.html#securing-your-phpmyadmin-installation
- create tmp dir and insert this in htaccess to fix the errormessage
  after login

- spec clean up
  * Let rpm find the library dependencies by itself. Remove
    unneeded explicit Requires: tags (php-zlib)
  * Remove logic for obsolete openSUSE releases
  * Ignore pem-certificate rpmlint warning (see
    libraries/certs/README.rst)
  * Remove hidden .github, .php_cs.dist, .scrutinizer.yml and
    .editorconfig
  * Remove php_twig.h and twig.c (devel)
  * Set proper shebang for bash and php scripts
  * Make phpmyadmin/sql-parser/bin/*-query and
    paragonie/random_compat/*.sh executable

- update to 4.8.0 (2018-04-07)
  * gh#12946 Allow to export JSON with unescaped unicode chars
  * gh#12983 Disable login button without solved reCaptcha
  * gh#12315 Allow to remove individual segments from pie charts
  * gh       Change label from "Improve table structure" to
  "Normalize" to match standard terminology
  * gh#13087 Offer login as different user on access denied from
  MySQL
  * gh#13110 Indicate when HTTPS is not properly reported on the
  server
  * gh#13119 No database selected error when adding foreign key
  * gh#12388 Improved database search to allow search for exact
  phrase match
  * gh#13099 Report error when trying to copy database to same
  name
  * gh#13167 Themes now have to contain metadata in theme.json
  * gh#6363  phpMyAdmin no longer requires eval() in PHP
  * gh#12386 The mbstring dependency is now optional
  * gh#13269 Small refactoring in preparation to CSP
  * gh#13384 Database link broken in Databases Page
  * gh#13391 Configurable authentication logging using
  $cfg['AuthLog']
  * gh#13086 Add support for Google Invisible Captcha
  * gh#13058 Improved error reporting for reCAPTCHA
  * gh#12899 Improved rendering of server variables table
  * gh#12948 Fixed javascript editor for TIME values
  * gh#13095 Fixed alignment of foreign keys editing
  * gh#12944 Improved inline editor for JSON
  * gh#13145 Improved layout of operations pages
  * gh#13448 Add "format" query button in edit view form
  * gh#6241  Implement Responsive Design/mobile interface
  * gh       Use a single location for classes under PhpMyAdmin
  namespace
  * gh#12354 Indicate SSL status on main page
  * gh#5666  Configuration directives for defaults of Transformation
  options
  * gh#12261 Remove inline JavaScript
  * gh#13408 Show MySQL warnings when executing SQL queries
  * gh#5827  Allow Designer to show tables from other databases
  * gh#13268 Replace Query-By-Example with multi-table query
  generator interface
  * gh#13576 Add privileges export to per-database listing
  * gh       Consolidate functions into class files
  * gh#13560 Add support for changing collation for all tables and
  columns in database
  * gh#13303 Add support for creating fulltext index from table
  structure
  * gh#13711 Lower default value for $cfg['MaxExactCount']
  * gh#13722 DisableIS is not fully honored
  * gh#6197  Added support for authentication using U2F and 2FA
  * gh#13480 Avoid removing cookies on upgrade
  * gh#13397 Remember state of navigation panel
  * gh#11688 Reduced cookie usage
  * gh#13466 Better utilization of user preferences
  * gh#14042 Rename PMD to Designer
  * gh#13940 Honor arg_separator in AJAX requests
  * gh#14060 Can't edit rows in Internet Explorer
  * gh#14096 Internet Explorer compatibility; fixes JavaScript error
  Object doesn't support property or method 'startsWith'

- update to 4.7.9 (2018-03-05)
  * gh#13931 Fixed browsing tables with more results
  * gh#13927 "Not an integer" when browsing a table
  * gh#13887 "Input variables exceeded 1000" error relating
    to PHP's max_input_vars directive

- phpMyAdmin 4.7.8:
  * Fixed error handling with PHP 7.2
  * Fixed resetting default setting values
  * Fixed fallback value for collation connection
- fix for boo#1082188
  * PMASA-2018-1 (CVE-2018-7260, CWE-661)
    https://www.phpmyadmin.net/security/PMASA-2018-1/
  - Fix XSS in Central Columns Feature

- phpMyAdmin 4.7.7:
  * Fixed displaying of formatted numeric values for some locales
  * Ensure datetimepicker is always loaded for datetime fields
  * Fixed PHP error when browsing certain results
  * Fix XSRF/CSRF vulnerability (bsc#1074066, PMASA-2017-09)
    CVE-2017-1000499

- update to 4.7.6 (2017-11-29)
  * gh#13517 Fixed check all interaction with filtering
  * gh#13803 Add SJIS-win to default list of allowed charsets
  * gh#13436 Improve detection that MySQL server needs SSL connection
  * gh#13038 Support JSON datatype on MariaDB 10.2.7 and newer
  * gh#13824 Fixed constructing ALTER query with AFTER
  * gh#13821 Lock page when changes are done in the SQL editor
  * gh#13842 Prefer iconv for encoding conversions
  * gh#13737 Fixed changing password on MariaDB cluster

- fix for boo#1057661
  * no longer require php_mod_any (recommend it instead)
  * only enable php5 / php7 if running Apache prefork MPM
- fix %post
  * use sed instead of grep/awk to determine PHP version

- update to 4.7.5 (2017-10-23)
  * gh#13615 Avoid problems with browsing unknown query types
  * gh#13612 Integrate tooltip into datetime pickers
  * gh#13628 Fixed javascript error in server monitor
  * gh#13444 Fixed server monitor on non Linux and Windows systems
  * gh#13633 Reload javscript messages when changing language
  * gh#13604 Fixed crash on invalid ordering data
  * gh#13639 Fixed error when browsing non SELECT results
  * gh#13533 Fixed saving column to display
  * gh#13647 Fixed export of tables with VIRTUAL columns
  * gh#13669 Fixed selecting multiple rows accidentally selects
    the next row too
  * gh#13513 Fixed edit index Column alignment issue
  * gh#13515 Fixed rendering of add index dialog
  * gh#13710 Fixed possible error in server advisor
  * gh#13477 Fixed setting input transformations
  * gh#13552 Fixed IPv4/IPv6 To Binary input transformation
  * gh#13686 Clicking on column name to trigger sort with an active
    search leads to logout
  * gh#13725 Fixed copying tables with specific PARTITION
    definition
  * gh#13761 Fixed listing of bookmarks for a database

- fix recommends
  * php5-curl -> php-curl
  * php5-zip -> php-zip
- fix post step
  * enable correct phpX module

- update to 4.7.4
  * gh#13415 Remove shadow from the logo
  * gh#13507 Fixed per server theme feature
  * gh#13523 Missing newline in ALTER exports
  * gh#13414 Fixed several compatibility issues with PHP 7.2
  * gh#13550 Fixed copy results to clipboard
  * gh#13562 Add limitation for user group length
  * gh#13561 Fixed edit variable link in advisor
  * gh#13579 Optimize table link should not be visible in print
    page
  * gh#13553 Improved error handling on corrupted tables
  * gh#13512 Fixed rendering of add index dialog
  * gh#13606 Fixed refreshing server variables

- fix for boo#1050980
  * replace mcrypt with openssl, see
    https://github.com/phpseclib/phpseclib/issues/1028
- update changes (update to 4.6.6 (2017-01-23))
  * add missing (CVE-Not yet available) CVE's

- update to 4.7.3
  * gh#13447 Large multi-line query removes Export operation and
    blanks query box options
  * gh#13445 Fixed rendering of query results
  * gh#13437 Fixed version check when not connected to a database
  * gh#13465 Fixed creating relation
  * gh#13475 Fixed export without backquotes
  * gh#13482 Improved handling of uploaded files with open_basedir
  * gh#13387 Fixed inline editing of hex values
  * gh#13382 Fixed size of index edit dialog
  * gh#13489 Fixed rendering SQL lint errors
  * gh#13468 Avoid breakage if set_time_limit is disabled
  * gh#13471 Fail if ini_set/ini_get are disabled
  * gh#13436 Automatically connect using SSL when server is
    configured so
  * gh#13478 Fixed usage of some browser transformations

- update to 4.7.2 (2017-06-29)
  * gh#13314 Make theme selection keep current server
  * gh#13311 Fixed direct login for accounts without password
  * gh#13316 Fixed check for mbstring.func_overload
  * gh#13323 Fixed wrong encoding of table at triggers
  * gh#12976 Fixed natural sorting in several places
  * gh#12718 Show warning for users removed from mysql.user table
  * gh#13362 Fixed loading additional javascripts
  * gh#13343 Fixed editing QBE
  * gh#13193 Improved documentation on user settings
  * gh#13092 Gracefully handle early fatal errors in AJAX requests
  * gh#13327 Fixed Incorrect NavigationTreeEnableExpansion default
    value in the documentation
  * gh#13008 Fixed export of database with a lot of tables
  * gh#13318 Improved performance when importing with enabled
    tracking
  * gh#13386 Avoid PHP errors with non existing configuration on
    OS X
  * gh#13388 Show only supported charsets for conversion
  * gh#13392 Fixed operation with session.auto_start enabled
  * gh#13383 "Create PHP code" is broken
  * gh#13189 Fixed links to resume timeouted import

- update to 4.7.1 (2017-05-25)
  * gh#13132 Always execute tracking queries as controluser
  * gh#13125 Focus on SQL editor after inserting field name
  * gh#13133 Fixed broken links in setup
  * gh#13135 Database list Tooltips: Show wrong value
  * gh#13150 Fixed pagination while browsing resuls
  * gh#13149 Fixed outbound links in changelog.php
  * gh#13146 Do not include devel dependencies in the release
  * gh#13144 Do not show New as a database in database dropdown
  * gh#13130 Fixed handling of errors in AJAX requests
  * gh#13152 Fixed PHP error in case of invalid table preferences
  * gh#13154 Fixed PHP error on password change
  * gh#13219 Fix Refresh of Process List
  * gh#13182 Fix refresh of long queries
  * gh#12301 Improved handling of logout with disabled
    LoginCookieDeleteAll
  * gh#13216 Add support for MySQL 8.0 collations
  * gh#13218 Fixed rendering of phpMyAdmin logos
  * gh#13234 Properly report not working sessions
  * gh#13256 Fixed password check on server replication
  * gh#13252 Fixed grid editing time column
  * gh#13258 Fixed detection of Amazon RDS
  * gh#13241 Redirect user to last page that has any tables to
    display
  * gh#13266 Fix link to User accounts overview page
  * gh#13274 Fix error in query builder
  * gh#13177 Grid editing repeats action after error

- restore phpMyAdmin-pma.patch
  * because it is NOT upstream and needed for configuration storage
- restore previous phpMyAdmin-config.patch
  * merge with upstream config VAR changes
  - removed $cfg['Servers'][$i]['designer_coords']