Bored of official project news? Then check out developers blogs at planet phpMyAdmin.
You can also follow us on Facebook or Twitter. The news are also available in a RSS feed.
2020-03-21
Hello,
The phpMyAdmin team announces the release of both 4.9.5 and 5.0.2.
Both versions contain several security fixes:
We are removing the ability for users to set "options" field for the external transformation. This must now be hard coded in the plugin file directly (where the program is configured). This feature allows users to pipe output directly to an executable file, however the options field presented a security risk and we have decided to move the options to be hard coded in the transformation plugin file. For further assistance, please reach out to our support team through email or Github pull request.
Version 5.0.3 also contains many bug fixes:
There are many other bugs fixes, please see the ChangeLog file included with this release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
As a reminder, phpMyAdmin 4.9 is in the long-term support phase where it will only get important security fixes and critical bug fixes. Users are suggested to migrate to version 5.0.
Downloads are available now at https://phpmyadmin.net/downloads/
For the phpMyAdmin team, Isaac
2020-01-08
The phpMyAdmin team announces the release of versions 4.9.4 and 5.0.1.
As a reminder, version 4.x is in the LTS phase, where only security fixes and critical bug fixes are made. Users are suggested to migrate to version 5.
These releases address two issues, a problem with two-factor authentication that was introduced with the last releases, and a fix for an SQL injection vulnerability that was reported by CSW Research Labs https://twitter.com/cswcyberworks. This vulnerability is assigned PMASA-2020-1 and requires that the attacker have logged in through a valid MySQL account.
Known issue: the reported current release version may display incorrectly on the main page (for instance, "Version information: 5.0.1, latest stable version: 4.9.4"). This is expected to be fixed in the next routine bug fix release.
Downloads are available at phpmyadmin.net.
Happy new year, the phpMyAdmin team
2019-12-26
Welcome to the release of phpMyAdmin version 5.0.0. This release is occurring simultaneously with version 4.9.3; except for users with old PHP installations, version 5.0.0 is the recommended version.
This release includes many new features and improvements from the 4.9 series. We expect to maintain version 4 in a security capacity to support users with older PHP installations. For full details about supported versions and end of life dates, see the "Supported versions" grid at https://www.phpmyadmin.net/downloads/.
With this release, we are removing support of old PHP versions (5.5, 5.6, 7.0, and HHVM). These versions are outdated and are no longer supported by the PHP team.
Version 5.0 includes many coding improvements that modernize the interface. Many of these changes are transparent to users, but make the code easier to maintain. Much of this refactoring work is completed by our contract developer, Maurício Meneghini Fauth. We always consider applications for new (paid) contract developers, see https://www.phpmyadmin.net/contractor/ for program details.
Some of the changes and new features include:
There are several more changes, please refer to the ChangeLog file included with the release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220. We suggest upgrading your PHP installation to take advantage of the authentication methods.
Downloads are available now at https://phpmyadmin.net/downloads/
Our work would not be possible without the donations of our generous sponsor, and this release in particular is brought to you thanks to the hard work of our Google Summer of Code students and many other contributors.
The phpMyAdmin team
2019-12-26
Welcome to phpMyAdmin 4.9.3, a routine bugfix release. This release is occurring simultaneously with the release of phpMyAdmin 5.0.0, which is our recommended version except for users with older PHP installations.
This is planned as the final bugfix release of phpMyAdmin version 4. Version 4 works with PHP versions 5.5 through (at least) 7.4, and MySQL versions 5.5 and newer (and the corresponding MariaDB versions). Version 5 will require PHP 7.1 or newer, but we plan to maintain security fixes for version 4 as part of our LTS program. For end of life details and supported versions, please see the "Supported versions" grid at https://www.phpmyadmin.net/downloads/.
This release includes fixes for many bugs, including:
There are many, many more bug fixes thanks to the efforts of our developers and other contributors. For full details, you can see the ChangeLog file included with this release.
The phpMyAdmin team
2019-11-22
Welcome to the first release candidate of phpMyAdmin 5.0.0. This release features a great number of new features and bug fixes.
This is expected to be the final release candidate before 5.0.0 is finalized. Please visit https://github.com/phpmyadmin/phpmyadmin/milestones to stay updated on the expected release date and known bugs.
Since 5.0.0-alpha1, there have been several bugfixes, none of which are particularly notable. For a complete comparison, you could visit https://github.com/phpmyadmin/phpmyadmin/compare/RELEASE_5_0_0ALPHA1..RELEASE_5_0_0RC1.
The following are the release notes from 5.0.0-alpha1:
With this release, we are removing support of old PHP versions (5.5, 5.6, 7.0, and HHVM). These versions are outdated and are no longer supported by the PHP team. Detailed requirement information is available in the documentation included with the download or at https://docs.phpmyadmin.net/en/latest/require.html. As shown at https://www.phpmyadmin.net/downloads/#support our current branch of 4.9.x is planned to remain supported for some time in an LTS capacity.
Some of the changes and new features include:
There are several more changes, please refer to the ChangeLog file included with the release for full details.
Known shortcomings:
Due to changes in the MySQL authentication method, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server (our tests show the problem actually began with MySQL 8.0.11). This relates to a PHP bug https://bugs.php.net/bug.php?id=76243. There is a workaround, that is to set your user account to use the current-style password hash method, mysql_native_password. This unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. For more details, you can see our bug tracker item at https://github.com/phpmyadmin/phpmyadmin/issues/14220.
Downloads are available now at https://phpmyadmin.net/downloads/
Our work would not be possible without the donations of our generous sponsor, and this release in particular is brought to you thanks to the hard work of our Google Summer of Code students and many other contributors.
For the team, Isaac
2019-11-22
Welcome to phpMyAdmin 4.9.2, a bugfix release that also contains a security fix.
This security fix is part of an ongoing effort to improve the security of the Designer feature and is designated PMASA-2019-5. There is also an improvement for how we sanitize Git version information shown on the home page, thanks to Ali Hubail.
This release includes fixes for many bugs, including:
There are many, many more bug fixes thanks to the efforts of our developers and other contributors.
The phpMyAdmin team
2019-09-21
Welcome to phpMyAdmin 4.9.1, a bugfix release.
This is a regularly-schedule bugfix release that also includes some security hardening measures.
We wish to point out that this also includes a routine fix for an issue that has been reported as CVE-2019-12922. The fix for this has been in our release queue to be part of this release, however it is the opinion of the team that the reported attack vector did not justify a separate release.
This release includes fixes for many bugs, including:
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
2019-06-04
Welcome to phpMyAdmin 4.9.0.1, a bugfix release that includes important security fixes.
This release fixes two security vulnerabilities:
Version 4.9.0 mistakenly did not include a commit and 4.9.0.1 was quickly released to include that missing fix.
Upgrading is highly recommended for all users. Using the 'http' auth_type instead of 'cookie' can mitigate the CSRF attack.
The solution for the CSRF attack does remove the former functionality to log in directly through URL parameters (as mentioned in FAQ 4.8, such as https://example.com/phpmyadmin/?pma_username=root&password=foo). Such behavior was discouraged and is now removed. Other query parameters work as expected; only pma_username and pma_password have been removed.
As a result of the removal of this feature, we have decided the change in behavior justifies a version increase from 4.8.x to 4.9. We strive to adhere to Semantic Versioning principles, which prohibit removing features in patch releases. Previously version 4.8.x was intended as the LTS version supporting PHP 5.5; because of this change the LTS branch will now become version 4.9.x.
This release also includes fixes for many bugs, including:
There are many, many more bug fixes thanks to the efforts of our developers, Google Summer of Code applicants, and other contributors.
The phpMyAdmin team
edit 2019-06-05 - Added information about why this is 4.9.0 rather than 4.8.x.
2019-05-07
The phpMyAdmin project is excited to announce our student projects for the 2019 Google Summer of Code. We've had many great applicants and it is unfortunate that we were only able to accept these three.
This year, the mentors from phpMyAdmin were pleased with the amount of student support; many students joined the conversation on Gitter and other forums to help other students with their applications and offer their support of each other. This response was overwhelming and reflects wonderfully on the student applicants.
Students who were not selected are welcome to continue to contribute to the phpMyAdmin community and, for those who will be eligible next year, we hope you'll apply again.
Summer of Code is a Google initiative where Google funds college students getting paid for real-world experience and mentorship through open source projects. For many students, this is the first exposure to an open source project. Several phpMyAdmin team members have started as GSoC students. This marks phpMyAdmin's tenth year of participation in GSoC.
2019-01-26
The phpMyAdmin team announces the release of phpMyAdmin version 4.8.5. Among other bug fixes, this contains several important security fixes. Upgrading is highly recommended for all users.
The security fixes involve:
The arbitrary file read vulnerability could also be exploited to delete arbitrary files on the server. This attack requires that phpMyAdmin be run with the $cfg['AllowArbitraryServer'] directive set to true, which is not the default. An attacker must run a malicious server process that will masquerade as a MySQL server. This exploit has been found and fixed recently in several other related projects and appears to be caused by a bug in PHP (https://bugs.php.net/bug.php?id=77496).
In addition to the security fixes, this release also includes these bug fixes and more as part of our regular release cycle:
And several more. Complete notes are in the ChangeLog file included with this release.
As always, downloads are available at https://www.phpmyadmin.net/downloads/