(Debian Issues Fix) Webmin Discloses Module Configuration Data to Remote Authenticated Users
|
|
SecurityTracker Alert ID: 1010648
|
|
SecurityTracker URL: http://securitytracker.com/id?1010648
|
|
CVE Reference: CAN-2004-0582
(Links to External Site)
|
Date: Jul 6 2004
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 1.140 and prior versions
|
Description: Two vulnerabilities were reported in Webmin. A remote user can cause user accounts to be locked out. A remote authenticated user can view module configuration data.
The vendor reported that a remote authenticated user can view the configuration of arbitrary modules, even if the user should not
have access to the module.
It is also reported that a remote user can send an invalid username or password to lock out valid
users.
|
Impact: A remote authenticated user can view the configuration of arbitrary modules on the system.
A remote user can lock out a valid user's account.
|
Solution: Debian has released a fix for the current stable distribution (woody) in version 0.94-7woody2 and for the unstable distribution (sid)
in version 1.150-1.
Debian GNU/Linux 3.0 alias woody:
Source archives:
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2.dsc
Size/MD5 checksum: 1126 995ac5b48cbc4baf168d89aea22e3258
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2.diff.gz
Size/MD5 checksum: 63417 8c70be8b163bf819c8e6fca95b898654
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94.orig.tar.gz
Size/MD5 checksum: 4831737 114c7ca2557c17faebb627a3de7acb97
Architecture independent components:
http://security.debian.org/pool/updates/main/w/webmin/w
ebmin-apache_0.94-7woody2_all.deb
Size/MD5 checksum: 223884 22de96c300bc414b2f2982d077190a7c
http://security.debian.org/pool/updates/main/w/webmin/webmin-bi
nd8_0.94-7woody2_all.deb
Size/MD5 checksum: 181060 2ca3ebb2b494877720b400e9a8a19130
http://security.debian.org/pool/updates/main/w/webmin/webmin-burner_0.94
-7woody2_all.deb
Size/MD5 checksum: 32944 00283db28697c6104869afd8599bd691
http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.
94-7woody2_all.deb
Size/MD5 checksum: 28296 968a289d95e6c665df672a3e151425cb
http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin
_0.94-7woody2_all.deb
Size/MD5 checksum: 32568 61e0a5f74bc0bbc41caeaabc0fb5de99
http://security.debian.org/pool/updates/main/w/webmin/webmin-core_0.94-7woo
dy2_all.deb
Size/MD5 checksum: 1258080 ca65a0dd02df1f6d52884114c0373cf4
http://security.debian.org/pool/updates/main/w/webmin/webmin-cpan_0.94-7woody2_all.de
b
Size/MD5 checksum: 27010 ca3b05a95193cf97c6348b1f44ae03b6
http://security.debian.org/pool/updates/main/w/webmin/webmin-dhcpd_0.94-7woody2_all.deb
Size/MD5 checksum: 97166 229fc6f7eedbef4663ed1587d4b1a724
http://security.debian.org/pool/updates/main/w/webmin/webmin-exports_0.94-7woody2_all.deb
Size/MD5 checksum: 55360 f62c16dd09bae16329470911174c45b9
http://security.debian.org/pool/updates/main/w/webmin/webmin-fetchmail_0.94-7woody2_all.deb
Size/MD5 checksum: 27938 1bf4b912a833fbb8fd709f3319d2fa82
http://security.debian.org/pool/updates/main/w/webmin/webmin-heartbeat_0.94-7woody2_all.deb
Size/MD5 checksum: 21688 f6a85cf21843bea1f9856f559dca2469
http://security.debian.org/pool/updates/main/w/webmin/webmin-inetd_0.94-7woody2_all.deb
Size/MD5 checksum: 46456 297501fccf6eeee31a6b02b9fbc3a3ec
http://security.debian.org/pool/updates/main/w/webmin/webmin-jabber_0.94-7woody2_all.deb
Size/MD5 checksum: 32094 6870567dff48f54dc846216223da8e3a
http://security.debian.org/pool/updates/main/w/webmin/webmin-lpadmin_0.94-7woody2_all.deb
Size/MD5 checksum: 103388 2c95c4cf6ae9fc4b320c43aac48fa1bb
http://security.debian.org/pool/updates/main/w/webmin/webmin-mon_0.94-7woody2_all.deb
Size/MD5 checksum: 63490 fd37e7a07dabe8cb016a3037aba75796
http://security.debian.org/pool/updates/main/w/webmin/webmin-mysql_0.94-7woody2_all.deb
Size/MD5 checksum: 121704 220d406600a9f355df3a916a1627a7cc
http://security.debian.org/pool/updates/main/w/webmin/webmin-nis_0.94-7woody2_all.deb
Size/MD5 checksum: 67036 90a3b2bf04d954c11156194a788ce1cc
http://security.debian.org/pool/updates/main/w/webmin/webmin-postfix_0.94-7woody2_all.deb
Size/MD5 checksum: 209084 68a0cf048a8a585a7c63abca9d31fbc4
http://security.debian.org/pool/updates/main/w/webmin/webmin-postgresql_0.94-7woody2_all.deb
Size/MD5 checksum: 78792 347840e8305a3c16f053e9bcf4389594
http://security.debian.org/pool/updates/main/w/webmin/webmin-ppp_0.94-7woody2_all.deb
Size/MD5 checksum: 21026 fd312485daa6d1b97db57f960cb6d2f8
http://security.debian.org/pool/updates/main/w/webmin/webmin-qmailadmin_0.94-7woody2_all.deb
Size/MD5 checksum: 39820 a98ed9cf6633f0d844e5dcdf07330237
http://security.debian.org/pool/updates/main/w/webmin/webmin-quota_0.94-7woody2_all.deb
Size/MD5 checksum: 89304 c756d2c966ad30165fdba6aa9956af4c
http://security.debian.org/pool/updates/main/w/webmin/webmin-raid_0.94-7woody2_all.deb
Size/MD5 checksum: 36384 adea65391d94ab7e4902f120a134a9d7
http://security.debian.org/pool/updates/main/w/webmin/webmin-samba_0.94-7woody2_all.deb
Size/MD5 checksum: 133746 db13e84d7c2613248daff848a3b826bc
http://security.debian.org/pool/updates/main/w/webmin/webmin-sendmail_0.94-7woody2_all.deb
Size/MD5 checksum: 240714 3d6ddce61af213c76b53843b59d4ac8f
http://security.debian.org/pool/updates/main/w/webmin/webmin-software_0.94-7woody2_all.deb
Size/MD5 checksum: 91650 db9819b53497d70653e0c6eac5f748b6
http://security.debian.org/pool/updates/main/w/webmin/webmin-squid_0.94-7woody2_all.deb
Size/MD5 checksum: 223974 adbeb70d3fd39f2aaa10b8d642f8f0db
http://security.debian.org/pool/updates/main/w/webmin/webmin-sshd_0.94-7woody2_all.deb
Size/MD5 checksum: 43666 78f683b147d29340e0ae87c2919afa98
http://security.debian.org/pool/updates/main/w/webmin/webmin-ssl_0.94-7woody2_all.deb
Size/MD5 checksum: 8406 f7237e77cc5d19b5c4048b4fc05300eb
http://security.debian.org/pool/updates/main/w/webmin/webmin-status_0.94-7woody2_all.deb
Size/MD5 checksum: 43452 606bf0ab3115e71e59345393492d0dd8
http://security.debian.org/pool/updates/main/w/webmin/webmin-stunnel_0.94-7woody2_all.deb
Size/MD5 checksum: 26750 92533f3c91f2b285729a1b5299f3ee46
http://security.debian.org/pool/updates/main/w/webmin/webmin-wuftpd_0.94-7woody2_all.deb
Size/MD5 checksum: 113522 2d60c4a473e533014c5750d3e3a7366f
http://security.debian.org/pool/updates/main/w/webmin/webmin-xinetd_0.94-7woody2_all.deb
Size/MD5 checksum: 32648 12d6edfc27ef9087c344cd24093e947d
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2_all.deb
Size/MD5 checksum: 514162 f4b38b85faa032ffe0715929df40551c
|
Vendor URL: www.webmin.com/changes-1.150.html (Links to External Site)
|
Cause: Access control error, State error
|
Underlying OS: Linux (Debian)
|
Underlying OS Comments: 3.0
|
Reported By: Matt Zimmerman <mdz@debian.org>
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Sat, 3 Jul 2004 11:56:31 -0700
From: Matt Zimmerman <mdz@debian.org>
Subject: [SECURITY] [DSA 526-1] New webmin packages fix multiple vulnerabilities
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 526-1 security@debian.org
http://www.debian.org/security/ Matt Zimmerman
July 3rd, 2004 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : webmin
Vulnerability : several
Problem-Type : remote
Debian-specific: no
CVE Ids : CAN-2004-0582 CAN-2004-0583
Two vulnerabilities were discovered in webmin:
CAN-2004-0582: Unknown vulnerability in Webmin 1.140 allows remote
attackers to bypass access control rules and gain read access to
configuration information for a module.
CAN-2004-0583: The account lockout functionality in (1) Webmin 1.140
and (2) Usermin 1.070 does not parse certain character strings, which
allows remote attackers to conduct a brute force attack to guess user
IDs and passwords.
For the current stable distribution (woody), these problems have been
fixed in version 0.94-7woody2.
For the unstable distribution (sid), these problems have been fixed in
version 1.150-1.
We recommend that you update your webmin package.
Upgrade Instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2.dsc
Size/MD5 checksum: 1126 995ac5b48cbc4baf168d89aea22e3258
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2.diff.gz
Size/MD5 checksum: 63417 8c70be8b163bf819c8e6fca95b898654
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94.orig.tar.gz
Size/MD5 checksum: 4831737 114c7ca2557c17faebb627a3de7acb97
Architecture independent components:
http://security.debian.org/pool/updates/main/w/webmin/webmin-apache_0.94-7woody2_all.deb
Size/MD5 checksum: 223884 22de96c300bc414b2f2982d077190a7c
http://security.debian.org/pool/updates/main/w/webmin/webmin-bind8_0.94-7woody2_all.deb
Size/MD5 checksum: 181060 2ca3ebb2b494877720b400e9a8a19130
http://security.debian.org/pool/updates/main/w/webmin/webmin-burner_0.94-7woody2_all.deb
Size/MD5 checksum: 32944 00283db28697c6104869afd8599bd691
http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.94-7woody2_all.de
b
Size/MD5 checksum: 28296 968a289d95e6c665df672a3e151425cb
http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin_0.94-7woody2_all.d
eb
Size/MD5 checksum: 32568 61e0a5f74bc0bbc41caeaabc0fb5de99
http://security.debian.org/pool/updates/main/w/webmin/webmin-core_0.94-7woody2_all.deb
Size/MD5 checksum: 1258080 ca65a0dd02df1f6d52884114c0373cf4
http://security.debian.org/pool/updates/main/w/webmin/webmin-cpan_0.94-7woody2_all.deb
Size/MD5 checksum: 27010 ca3b05a95193cf97c6348b1f44ae03b6
http://security.debian.org/pool/updates/main/w/webmin/webmin-dhcpd_0.94-7woody2_all.deb
Size/MD5 checksum: 97166 229fc6f7eedbef4663ed1587d4b1a724
http://security.debian.org/pool/updates/main/w/webmin/webmin-exports_0.94-7woody2_all.deb
Size/MD5 checksum: 55360 f62c16dd09bae16329470911174c45b9
http://security.debian.org/pool/updates/main/w/webmin/webmin-fetchmail_0.94-7woody2_all.deb
Size/MD5 checksum: 27938 1bf4b912a833fbb8fd709f3319d2fa82
http://security.debian.org/pool/updates/main/w/webmin/webmin-heartbeat_0.94-7woody2_all.deb
Size/MD5 checksum: 21688 f6a85cf21843bea1f9856f559dca2469
http://security.debian.org/pool/updates/main/w/webmin/webmin-inetd_0.94-7woody2_all.deb
Size/MD5 checksum: 46456 297501fccf6eeee31a6b02b9fbc3a3ec
http://security.debian.org/pool/updates/main/w/webmin/webmin-jabber_0.94-7woody2_all.deb
Size/MD5 checksum: 32094 6870567dff48f54dc846216223da8e3a
http://security.debian.org/pool/updates/main/w/webmin/webmin-lpadmin_0.94-7woody2_all.deb
Size/MD5 checksum: 103388 2c95c4cf6ae9fc4b320c43aac48fa1bb
http://security.debian.org/pool/updates/main/w/webmin/webmin-mon_0.94-7woody2_all.deb
Size/MD5 checksum: 63490 fd37e7a07dabe8cb016a3037aba75796
http://security.debian.org/pool/updates/main/w/webmin/webmin-mysql_0.94-7woody2_all.deb
Size/MD5 checksum: 121704 220d406600a9f355df3a916a1627a7cc
http://security.debian.org/pool/updates/main/w/webmin/webmin-nis_0.94-7woody2_all.deb
Size/MD5 checksum: 67036 90a3b2bf04d954c11156194a788ce1cc
http://security.debian.org/pool/updates/main/w/webmin/webmin-postfix_0.94-7woody2_all.deb
Size/MD5 checksum: 209084 68a0cf048a8a585a7c63abca9d31fbc4
http://security.debian.org/pool/updates/main/w/webmin/webmin-postgresql_0.94-7woody2_all.deb
Size/MD5 checksum: 78792 347840e8305a3c16f053e9bcf4389594
http://security.debian.org/pool/updates/main/w/webmin/webmin-ppp_0.94-7woody2_all.deb
Size/MD5 checksum: 21026 fd312485daa6d1b97db57f960cb6d2f8
http://security.debian.org/pool/updates/main/w/webmin/webmin-qmailadmin_0.94-7woody2_all.deb
Size/MD5 checksum: 39820 a98ed9cf6633f0d844e5dcdf07330237
http://security.debian.org/pool/updates/main/w/webmin/webmin-quota_0.94-7woody2_all.deb
Size/MD5 checksum: 89304 c756d2c966ad30165fdba6aa9956af4c
http://security.debian.org/pool/updates/main/w/webmin/webmin-raid_0.94-7woody2_all.deb
Size/MD5 checksum: 36384 adea65391d94ab7e4902f120a134a9d7
http://security.debian.org/pool/updates/main/w/webmin/webmin-samba_0.94-7woody2_all.deb
Size/MD5 checksum: 133746 db13e84d7c2613248daff848a3b826bc
http://security.debian.org/pool/updates/main/w/webmin/webmin-sendmail_0.94-7woody2_all.deb
Size/MD5 checksum: 240714 3d6ddce61af213c76b53843b59d4ac8f
http://security.debian.org/pool/updates/main/w/webmin/webmin-software_0.94-7woody2_all.deb
Size/MD5 checksum: 91650 db9819b53497d70653e0c6eac5f748b6
http://security.debian.org/pool/updates/main/w/webmin/webmin-squid_0.94-7woody2_all.deb
Size/MD5 checksum: 223974 adbeb70d3fd39f2aaa10b8d642f8f0db
http://security.debian.org/pool/updates/main/w/webmin/webmin-sshd_0.94-7woody2_all.deb
Size/MD5 checksum: 43666 78f683b147d29340e0ae87c2919afa98
http://security.debian.org/pool/updates/main/w/webmin/webmin-ssl_0.94-7woody2_all.deb
Size/MD5 checksum: 8406 f7237e77cc5d19b5c4048b4fc05300eb
http://security.debian.org/pool/updates/main/w/webmin/webmin-status_0.94-7woody2_all.deb
Size/MD5 checksum: 43452 606bf0ab3115e71e59345393492d0dd8
http://security.debian.org/pool/updates/main/w/webmin/webmin-stunnel_0.94-7woody2_all.deb
Size/MD5 checksum: 26750 92533f3c91f2b285729a1b5299f3ee46
http://security.debian.org/pool/updates/main/w/webmin/webmin-wuftpd_0.94-7woody2_all.deb
Size/MD5 checksum: 113522 2d60c4a473e533014c5750d3e3a7366f
http://security.debian.org/pool/updates/main/w/webmin/webmin-xinetd_0.94-7woody2_all.deb
Size/MD5 checksum: 32648 12d6edfc27ef9087c344cd24093e947d
http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody2_all.deb
Size/MD5 checksum: 514162 f4b38b85faa032ffe0715929df40551c
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/w/webmin/webmin-grub_0.94-7woody2_i386.deb
Size/MD5 checksum: 29432 615495ff454f129d404a720f6ede5993
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFA5wFEArxCt0PiXR4RAp+IAKCeSwJ5s3kQZ7cd7JrcBMESAWLLfgCeJ4UB
h5320rigCxubCKFZn/CsAa4=
=fcGw
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
