@win20 no need to be assigned, announcing your intention here in the comment is sufficient.

Please let us know if you need assistance.

Good idea

The image phpmyadmin:5.2.1-apache contains an old version of the Apache webserver which has several critical vulnerabilities. CVE-2023-25690 and CVE-2023-27522 which have a CVSS score of 9.8 as well as CVE-2006-20001, CVE-2022-36760 and CVE-2022-37436 which are CVSS rated 9.0. Please upgrade the Apache version asap to the latest version, at least 2.4.56 which is the version all those vulnerabilities had been fixed.

@felixtech-msp I believe this is fixed in the current Docker images, thank you very much for your report.

And they announced the rollback of this decision

Yes, but it isn't clear which (if any) of the more advanced features they'll be rolling out to us, such as the ability to automatically trigger rebuilds, use the API, or vulnerability monitoring. Those things exist with the official repository but haven't always been a consistent part of our free license.

unless the php apache2 image is fixed

It is running Apache 2.4.56, so based on the information in this ticket it has been fixed there.

I merged a new PR for a new TZ env, can you PR this to docker official repo?

That's now part of our phpmyadin/phpmyadmin repository and I will send the PR to the official one.

We have added an environment variable to allow users to configure their timezone within the container.

There is no update to the underlying phpMyAdmin application, this is purely a docker image improvement.

The image phpmyadmin:5.2.1-apache contains an old version of the Apache webserver which has several critical vulnerabilities. CVE-2023-25690 and CVE-2023-27522 which have a CVSS score of 9.8 as well as CVE-2006-20001, CVE-2022-36760 and CVE-2022-37436 which are CVSS rated 9.0. Please upgrade the Apache version asap to the latest version, at least 2.4.56 which is the version all those vulnerabilities had been fixed.

It appears as if the "official repository" at https://hub.docker.com/_/phpmyadmin/ gets automatic updates, but the team project at https://hub.docker.com/r/phpmyadmin/ needs to be manually updated.

I'm not at my computer at the moment but will push the update for those when I'm able.

Thanks for the report.

Just this week, they've announced some changes to how the open source project tier works.

Add new sponsor easeus.com

Signed-off-by: Isaac Bennetch bennetch@gmail.com

Shoot, another case where we have a double negative in a config name. Good catch and thanks for submitting this. It looks fine to me.

Great, thanks for the work on this. Yes, 3.7 is installed, although not the default when calling /bin/env python so it might need a tweak to update for that

I'm not merging it right now because I don't have time tonight to fix anything if there are migration problems, so I'll hold off until I (or someone else) has time to devote to that, but I think it's ready to merge.

I'd like to just add a dark theme to the full regular official release, which would of course also be included in the Docker image. We have three good candidates for that right now, but darkwolf has been around for quite a while.

As an aside, I'd like to make it easier for people to upgrade themes between versions, I feel right now it's mostly trial-and-error and testing. I had hoped that https://github.com/phpmyadmin/phpmyadmin/wiki/Theme_Changes would help but I'm not sure if that's really that useful or being updated.

I would say that using an ENV tag to specify a theme to download would be acceptable, but my personal favorite solution is to allow users to mount the theme directory and manually put them there.

I do not think we should create more Docker tags.

On a quick look at the history of that other issue, it appears to me like we meant to target 4.9.x with the fix as well, but because it was handled outside of our usual security process I may have missed backporting it when performing the release. Good catch by @izsob.

I'll have to dig more in the commit history; I'm on mobile right now and it isn't easy to see all that information on one screen.

If that's true, we should fix this for QA_4_9, but we should also make sure the fix that's already in 5.x was correct. I agree with Kamil about the escaping here and appreciate the input.

Add new sponsor WorthEPenny

Signed-off-by: Isaac Bennetch bennetch@gmail.com

I think there's something called a "scheme" to allow themes to have multiple color variations. Metro (IIRC) used this, at least used to back in 4.9. I suspect it still does but I'm on mobile at the moment so it's hard to check.

It presents as an extra bit of text near the theme selector on the main page, a toggle between available schemes.

I don't recall implementation details off hand but remember it was used well by some themes.

Perhaps that's what you're looking for?

@williamdes We have some documentation on mounting themes at

• https://docs.phpmyadmin.net/en/latest/setup.html#docker-volumes
• https://docs.phpmyadmin.net/en/latest/setup.html#docker-examples and
• https://docs.phpmyadmin.net/en/latest/setup.html#customizing-configuration-file-using-docker-compose

Can you get to a command prompt on your NAS? If so, I'd try using the command line client to connect, try mysql -h 127.0.0.1 -u root -p and mysql -h localhost -u root -p, or use whichever username you usually have for this service instead of root.

Are you able to see that the MySQL server is actually running correctly? Some sort of process monitor or error log, but I am not super family with this WD software to know how to do that.

The MySQL manual has various instructions for resetting the root password, if you have sufficient access and need to, but it doesn't really make sense that this would randomly change so I would investigate other options first.

Which theme(s) are you trying to add? I wonder if they are compatible with your phpMyAdmin version.

I'm not sure that I understand; could you please give a little more information or an example?

Had you previously installed phpMyAdmin through your distribution package manager?

Sorry, but I don't understand the last question.

I was trying to ask if you have had phpMyAdmin installed in the past with your distribution's package manager (such as yum or apt). You've sorted it all out and worked around the problem, but I suspect that you still have the configuration files from an old phpMyAdmin installation, which can be cleaned up on Debian with apt purge phpmyadmin or the equivalent for your distribution. You could instead look at a list of which old files are left with dpkg -L phpmyadmin. Doing so shouldn't affect your manually installed phpMyAdmin and would clean up the leftover pieces.

That's quite odd.

Do you know which download file you used? The all languages, English only, gz, zip, etc?

One thing we should probably do, if we don't already do it, is check the database server version and not show that function on the insert/edit page if the server does not support it.

I know we've gone back and forth on that behavior for other areas of the user interface; it confuses people if they see an interface or option when connected to one server but not another, on the other hand we also confuse people if we show a function they can't use.