[Webmin-maintainers] Bug#273377: marked as done (webmin: Static SSL cert/key pair)

Debian Bug Tracking System owner@bugs.debian.org
Tue, 14 Jun 2005 12:03:32 -0700 

Your message dated Tue, 14 Jun 2005 14:59:47 -0400 (EDT)
with message-id <Pine.LNX.4.63.0506141450000.23421@diku.intranet.braincells.com>
and subject line Closing bugs against webmin 0.94 
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 25 Sep 2004 20:10:32 +0000
>From johnf@e-reporting.ca Sat Sep 25 13:10:32 2004
Return-path: <johnf@e-reporting.ca>
Received: from li4-34.members.linode.com (localhost) [66.220.1.34] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1CBIsK-0000VR-00; Sat, 25 Sep 2004 13:10:32 -0700
Received: from johnf by localhost with local (Exim 3.35 #1 (Debian))
	id 1CBIsJ-0006N0-00; Sat, 25 Sep 2004 16:10:31 -0400
From: John Marrett <johnf@dsl.ca>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: webmin: Static SSL cert/key pair
X-Mailer: reportbug 1.50
Date: Sat, 25 Sep 2004 16:10:31 -0400
Message-Id: <E1CBIsJ-0006N0-00@localhost>
Sender: John Marrett <johnf@e-reporting.ca>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: webmin
Version: 0.94-7woody3
Severity: grave
Tags: security
Justification: user security hole

I installed webmin on two systems, both installations had the same SSL
Certificate fingerprint. As each install appears to use same key it may
be possible for a man in the middle to decrypt administrative traffic,
recover passwords and hijack sessions.

See http://xforce.iss.net/xforce/xfdb/10381

There may well be a workaround, however i have been unable to find one.

-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux nahanni 2.4.26-linode32-2um #1 Mon Aug 2 17:53:57 EDT 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages webmin depends on:
ii  debconf                       1.0.32     Debian configuration management sy
ii  libauthen-pam-perl            0.12-2     This module provides a Perl interf
ii  libnet-ssleay-perl            1.08-1.1   Perl module for Secure Sockets Lay
ii  perl                          5.6.1-8.7  Larry Wall's Practical Extraction 


---------------------------------------
Received: (at 273377-done) by bugs.debian.org; 14 Jun 2005 19:00:36 +0000
>From jaldhar@debian.org Tue Jun 14 12:00:35 2005
Return-path: <jaldhar@debian.org>
Received: from (mail.braincells.com) [146.82.141.4] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1DiGeJ-0000ip-00; Tue, 14 Jun 2005 12:00:35 -0700
Received: from localhost (localhost [127.0.0.1])
	by mail.braincells.com (Postfix) with ESMTP id 3E2976216B4;
	Tue, 14 Jun 2005 13:49:51 -0500 (CDT)
Received: from mail.braincells.com ([127.0.0.1])
	by localhost (jaldhar [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 26804-07; Tue, 14 Jun 2005 13:49:43 -0500 (CDT)
Received: from [192.168.1.113] (pcp09354467pcs.jersyc01.nj.comcast.net [69.141.24.176])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mail.braincells.com (Postfix) with ESMTP id 8B9CC6001D1;
	Tue, 14 Jun 2005 13:49:37 -0500 (CDT)
Date: Tue, 14 Jun 2005 14:59:47 -0400 (EDT)
From: "Jaldhar H. Vyas" <jaldhar@debian.org>
X-X-Sender: jaldhar@diku.intranet.braincells.com
Reply-To: "Jaldhar H. Vyas" <jaldhar@debian.org>
To: 273377-done@bugs.debian.org, 221729-done@bugs.debian.org,
	224361-done@bugs.debian.org, 221731-done@bugs.debian.org,
	232032-done@bugs.debian.org, 278182-done@bugs.debian.org,
	280728-done@bugs.debian.org, 301036-done@bugs.debian.org,
	228359-done@bugs.debian.org
Subject: Closing bugs against webmin 0.94 
Message-ID: <Pine.LNX.4.63.0506141450000.23421@diku.intranet.braincells.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at braincells.com
Delivered-To: 273377-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
	version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level: 
X-CrossAssassin-Score: 6

This version, which was in the Debian 3.0 "Woody" distribution is obsolete 
now that 3.1 "Sarge" has been released.  There will be no further 
bugfixes for it so I am closing the existing bug reports.  Even if you 
cannot migrate fully to sarge, It is suggested that you upgrade to the 
vesion of webmin in sarge, 1.180, as it is a lot better.


-- 
Jaldhar H. Vyas <jaldhar@debian.org>
La Salle Debain - http://www.braincells.com/debian/