[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DSA 544-1] New webmin packages fix insecure temporary directory



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 544-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
September 14th, 2004                    http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : webmin
Vulnerability  : insecure temporary directory
Problem-Type   : root
Debian-specific: no
CVE ID         : CAN-2004-0559

Ludwig Nussel discovered a problem in webmin, a web-based
administration toolkit.  A temporary directory was used but without
checking for the previous owner.  This could allow an attacker to
create the directory and place dangerous symbolic links inside.

For the stable distribution (woody) this problem has been fixed in
version 0.94-7woody3.

For the unstable distribution (sid) this problem has been fixed in
version 1.160-1 of webmin and 1.090-1 of usermin.

We recommend that you upgrade your webmin packages.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.dsc
      Size/MD5 checksum:     1126 fc3cda806f5d94666cdc2cdac03e2c75
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.diff.gz
      Size/MD5 checksum:    63028 64e3c4f454a1d576a4c52df29554309b
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94.orig.tar.gz
      Size/MD5 checksum:  4831737 114c7ca2557c17faebb627a3de7acb97

  Architecture independent components:

    http://security.debian.org/pool/updates/main/w/webmin/webmin-apache_0.94-7woody3_all.deb
      Size/MD5 checksum:   223812 12f056498c3ace868c1964ef2d9594b1
    http://security.debian.org/pool/updates/main/w/webmin/webmin-bind8_0.94-7woody3_all.deb
      Size/MD5 checksum:   182144 29ff6c45d83b13a482ef93d2ae8c7e3f
    http://security.debian.org/pool/updates/main/w/webmin/webmin-burner_0.94-7woody3_all.deb
      Size/MD5 checksum:    32688 4482f474e97ca209348a86e51c02a92b
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.94-7woody3_all.deb
      Size/MD5 checksum:    27688 6375d52cdd6f79d7f2e1b2e2d5d9bd6c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin_0.94-7woody3_all.deb
      Size/MD5 checksum:    30790 157df9a37fa88cb7f4de6421c43d1f16
    http://security.debian.org/pool/updates/main/w/webmin/webmin-core_0.94-7woody3_all.deb
      Size/MD5 checksum:  1250120 f5fd9854a550095c27ab1c88254804e4
    http://security.debian.org/pool/updates/main/w/webmin/webmin-cpan_0.94-7woody3_all.deb
      Size/MD5 checksum:    26596 a4bc52ed84091eb648c399547b181ad3
    http://security.debian.org/pool/updates/main/w/webmin/webmin-dhcpd_0.94-7woody3_all.deb
      Size/MD5 checksum:    96632 36f8e9ed58c3f3f67146c0f3e5074d29
    http://security.debian.org/pool/updates/main/w/webmin/webmin-exports_0.94-7woody3_all.deb
      Size/MD5 checksum:    54808 9e9119bc090c28d5119daec9bf654f62
    http://security.debian.org/pool/updates/main/w/webmin/webmin-fetchmail_0.94-7woody3_all.deb
      Size/MD5 checksum:    27354 294e18b992f187865f85b2fc0d0abf80
    http://security.debian.org/pool/updates/main/w/webmin/webmin-heartbeat_0.94-7woody3_all.deb
      Size/MD5 checksum:    21776 f58063b055e6e0b429f15f1c9c578d2f
    http://security.debian.org/pool/updates/main/w/webmin/webmin-inetd_0.94-7woody3_all.deb
      Size/MD5 checksum:    48056 1db1b493a9088de2134891d5f0a9d23c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-jabber_0.94-7woody3_all.deb
      Size/MD5 checksum:    31468 65d7199bd25d1f62ff376c0ad7e78a97
    http://security.debian.org/pool/updates/main/w/webmin/webmin-lpadmin_0.94-7woody3_all.deb
      Size/MD5 checksum:   103788 1920d9302034a175a6d3b00ca6f5dcf6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-mon_0.94-7woody3_all.deb
      Size/MD5 checksum:    62498 ee4befa8d564ddb45b38643a62c61cfb
    http://security.debian.org/pool/updates/main/w/webmin/webmin-mysql_0.94-7woody3_all.deb
      Size/MD5 checksum:   119200 60eefbffc7c1a8a30807623b2fb078e4
    http://security.debian.org/pool/updates/main/w/webmin/webmin-nis_0.94-7woody3_all.deb
      Size/MD5 checksum:    62634 16ebd24ca1d45a7f3e76361fa5bda345
    http://security.debian.org/pool/updates/main/w/webmin/webmin-postfix_0.94-7woody3_all.deb
      Size/MD5 checksum:   196726 4d671bfbd3e1e2c8d6b3f9c8ecf93e3a
    http://security.debian.org/pool/updates/main/w/webmin/webmin-postgresql_0.94-7woody3_all.deb
      Size/MD5 checksum:    77564 f0b30ff5b2e01e9aa1e358f2a517e92a
    http://security.debian.org/pool/updates/main/w/webmin/webmin-ppp_0.94-7woody3_all.deb
      Size/MD5 checksum:    20840 8a7057272358f236075ae24aae4dfd9c
    http://security.debian.org/pool/updates/main/w/webmin/webmin-qmailadmin_0.94-7woody3_all.deb
      Size/MD5 checksum:    38028 4a8ef1a18d7d526f061e2924b83e238d
    http://security.debian.org/pool/updates/main/w/webmin/webmin-quota_0.94-7woody3_all.deb
      Size/MD5 checksum:    87994 bc7ec88cc7cf4556f8554d26b44063d3
    http://security.debian.org/pool/updates/main/w/webmin/webmin-raid_0.94-7woody3_all.deb
      Size/MD5 checksum:    35802 ec1761610e6a141705505abc407b5690
    http://security.debian.org/pool/updates/main/w/webmin/webmin-samba_0.94-7woody3_all.deb
      Size/MD5 checksum:   134254 bc70638898d2201d974cbeede4488a02
    http://security.debian.org/pool/updates/main/w/webmin/webmin-sendmail_0.94-7woody3_all.deb
      Size/MD5 checksum:   235266 362bdada21f7c9d6868b4b103593cb86
    http://security.debian.org/pool/updates/main/w/webmin/webmin-software_0.94-7woody3_all.deb
      Size/MD5 checksum:    89332 500a31253b2c7aa207dda9a301b8c325
    http://security.debian.org/pool/updates/main/w/webmin/webmin-squid_0.94-7woody3_all.deb
      Size/MD5 checksum:   222044 e6a595f8db937ded962582354a6a19f2
    http://security.debian.org/pool/updates/main/w/webmin/webmin-sshd_0.94-7woody3_all.deb
      Size/MD5 checksum:    44286 2b20ed27175c52318c937c3e14b7b0e0
    http://security.debian.org/pool/updates/main/w/webmin/webmin-ssl_0.94-7woody3_all.deb
      Size/MD5 checksum:     8524 3c50958c006ef46ccd1d6791dd6907d6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-status_0.94-7woody3_all.deb
      Size/MD5 checksum:    42984 cc008a5c0670c1e2ccb3b63f841ebef6
    http://security.debian.org/pool/updates/main/w/webmin/webmin-stunnel_0.94-7woody3_all.deb
      Size/MD5 checksum:    26804 746be5ce521801c283f2e926621942aa
    http://security.debian.org/pool/updates/main/w/webmin/webmin-wuftpd_0.94-7woody3_all.deb
      Size/MD5 checksum:   111026 7e02060c23b92d5edc175b6cfa7b2f1b
    http://security.debian.org/pool/updates/main/w/webmin/webmin-xinetd_0.94-7woody3_all.deb
      Size/MD5 checksum:    31964 1e35a18332a9f6e753daee5e0157e362
    http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3_all.deb
      Size/MD5 checksum:   509128 c24ae0eb379dcdfecb2b4ac2de7351fa

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/w/webmin/webmin-grub_0.94-7woody3_i386.deb
      Size/MD5 checksum:    29546 8fb9582004e9cdaa63fc97f0325ef2a8


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBRwcDW5ql+IAeqTIRAlgVAJ9egZEMvpURgeQWqW+yPXoLzFxWlgCgpKkd
Fn/qX1Q8x9dWQbJc+4isDU4=
=i4kA
-----END PGP SIGNATURE-----


Reply to: