[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

DESA-009: Webmin - multiple vulnerabilities

- --------------------------------------------------------------------------
Debian-Edu/Skolelinux Security Advisory DESA 2004-009
http://www.skolelinux.no/security/                      Finn-Arne Johansen
July  8, 2004                 debian-edu-security@lists.alioth.debian.org
- --------------------------------------------------------------------------

Package             : webmin
Vulnerability       : Several vulnerabilities
Problem-Type        : remote
Need reboot         : no
Debian-Edu-specific : yes
CVE ID              : CAN-2004-0582, CAN-2004-0583
DSA ID              : DSA-526

Two vulnerabilities were discovered in webmin:

CAN-2004-0582: Unknown vulnerability in Webmin 1.140 allows remote
attackers to bypass access control rules and gain read access to
configuration information for a module.

CAN-2004-0583: The account lockout functionality in (1) Webmin 1.140
and (2) Usermin 1.070 does not parse certain character strings, which
allows remote attackers to conduct a brute force attack to guess user
IDs and passwords.

We've preparred New upgraded packages for you based on webmin from Unstable

New packages are availible from http://ftp.skolelinux.no/skolelinux/

We recommend that you upgrade your webmin packages. 

Upgrade Instructions
- --------------------

Make sure 'deb http://ftp.skolelinux.no/skolelinux woody local
present in your /etc/apt/sources.list and run 'apt-get update' to
update your package lists.

Since this involves many packages, and that two packages have been merged
into one, this upgrade is a bit more advanced.
Upgrade either by running 
  apt-get -u dist-upgrade

or by upgrading all the webmin-packages:
  apt-get install webmin webmin-apache webmin-bind webmin-core \
                  webmin-dhcpd webmin-exports webmin-grub webmin-inetd \
                  webmin-lvm webmin-quota webmin-samba webmin-software \
                  webmin-squid webmin-sshd webmin-status

During the upgrade you will be asked if you want to upgrade some config
files. Please say no, as these config files are carefully tuned for you
debian-edu/skolelinux installation.

- --------------------------------------------------------------------------
Mailing list: bruker@skolelinux.no, debian-edu@lists.debian.org,
              linuxiskolen@skolelinux.no, user@skolelinux.de
Package info: `apt-cache show <pkg>'

Finn-Arne Johansen 

Reply to: