Bug#273377: webmin: Static SSL cert/key pair

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#273377: webmin: Static SSL cert/key pair
From: John Marrett <johnf@dsl.ca>
Date: Sat, 25 Sep 2004 16:10:31 -0400
Message-id: <[🔎] E1CBIsJ-0006N0-00@localhost>
Reply-to: John Marrett <johnf@dsl.ca>, 273377@bugs.debian.org

Package: webmin
Version: 0.94-7woody3
Severity: grave
Tags: security
Justification: user security hole

I installed webmin on two systems, both installations had the same SSL
Certificate fingerprint. As each install appears to use same key it may
be possible for a man in the middle to decrypt administrative traffic,
recover passwords and hijack sessions.

See http://xforce.iss.net/xforce/xfdb/10381

There may well be a workaround, however i have been unable to find one.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nahanni 2.4.26-linode32-2um #1 Mon Aug 2 17:53:57 EDT 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages webmin depends on:
ii  debconf                       1.0.32     Debian configuration management sy
ii  libauthen-pam-perl            0.12-2     This module provides a Perl interf
ii  libnet-ssleay-perl            1.08-1.1   Perl module for Secure Sockets Lay
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction

Reply to:

Prev by Date: Bug#271590: webmin security hole.
Next by Date: Bug#273421: Invalid Maintainer: field
Previous by thread: Bug#271590: webmin security hole.
Next by thread: Bug#273421: Invalid Maintainer: field
Index(es):
- Date
- Thread