[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#273377: webmin: Static SSL cert/key pair

Package: webmin
Version: 0.94-7woody3
Severity: grave
Tags: security
Justification: user security hole

I installed webmin on two systems, both installations had the same SSL
Certificate fingerprint. As each install appears to use same key it may
be possible for a man in the middle to decrypt administrative traffic,
recover passwords and hijack sessions.

See http://xforce.iss.net/xforce/xfdb/10381

There may well be a workaround, however i have been unable to find one.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nahanni 2.4.26-linode32-2um #1 Mon Aug 2 17:53:57 EDT 2004 i686

Versions of packages webmin depends on:
ii  debconf                       1.0.32     Debian configuration management sy
ii  libauthen-pam-perl            0.12-2     This module provides a Perl interf
ii  libnet-ssleay-perl            1.08-1.1   Perl module for Secure Sockets Lay
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 

Reply to: