DESA-009: Webmin - multiple vulnerabilities
- --------------------------------------------------------------------------
Debian-Edu/Skolelinux Security Advisory DESA 2004-009
http://www.skolelinux.no/security/ Finn-Arne Johansen
July 8, 2004 debian-edu-security@lists.alioth.debian.org
- --------------------------------------------------------------------------
Package : webmin
Vulnerability : Several vulnerabilities
Problem-Type : remote
Need reboot : no
Debian-Edu-specific : yes
CVE ID : CAN-2004-0582, CAN-2004-0583
DSA ID : DSA-526
Two vulnerabilities were discovered in webmin:
CAN-2004-0582: Unknown vulnerability in Webmin 1.140 allows remote
attackers to bypass access control rules and gain read access to
configuration information for a module.
CAN-2004-0583: The account lockout functionality in (1) Webmin 1.140
and (2) Usermin 1.070 does not parse certain character strings, which
allows remote attackers to conduct a brute force attack to guess user
IDs and passwords.
We've preparred New upgraded packages for you based on webmin from Unstable
New packages are availible from http://ftp.skolelinux.no/skolelinux/
We recommend that you upgrade your webmin packages.
Upgrade Instructions
- --------------------
Make sure 'deb http://ftp.skolelinux.no/skolelinux woody local
present in your /etc/apt/sources.list and run 'apt-get update' to
update your package lists.
Since this involves many packages, and that two packages have been merged
into one, this upgrade is a bit more advanced.
Upgrade either by running
apt-get -u dist-upgrade
or by upgrading all the webmin-packages:
apt-get install webmin webmin-apache webmin-bind webmin-core \
webmin-dhcpd webmin-exports webmin-grub webmin-inetd \
webmin-lvm webmin-quota webmin-samba webmin-software \
webmin-squid webmin-sshd webmin-status
During the upgrade you will be asked if you want to upgrade some config
files. Please say no, as these config files are carefully tuned for you
debian-edu/skolelinux installation.
- --------------------------------------------------------------------------
Mailing list: bruker@skolelinux.no, debian-edu@lists.debian.org,
linuxiskolen@skolelinux.no, user@skolelinux.de
Package info: `apt-cache show <pkg>'
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: