Bug#273377: webmin: Static SSL cert/key pair
Package: webmin
Version: 0.94-7woody3
Severity: grave
Tags: security
Justification: user security hole
I installed webmin on two systems, both installations had the same SSL
Certificate fingerprint. As each install appears to use same key it may
be possible for a man in the middle to decrypt administrative traffic,
recover passwords and hijack sessions.
See http://xforce.iss.net/xforce/xfdb/10381
There may well be a workaround, however i have been unable to find one.
-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nahanni 2.4.26-linode32-2um #1 Mon Aug 2 17:53:57 EDT 2004 i686
Locale: LANG=C, LC_CTYPE=C
Versions of packages webmin depends on:
ii debconf 1.0.32 Debian configuration management sy
ii libauthen-pam-perl 0.12-2 This module provides a Perl interf
ii libnet-ssleay-perl 1.08-1.1 Perl module for Secure Sockets Lay
ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
Reply to: