[Webmin-maintainers] Re: Webmin Remote Root Vulnerability
Patrick Winnertz
rap86 at gmx.de
Tue Apr 18 09:34:09 UTC 2006
Jamie Cameron schrieb:
> On 17/Apr/2006 05:13 Patrick Winnertz wrote ..
>> Jaldhar H. Vyas schrieb:
>>> On Thu, 9 Mar 2006, Moritz Muehlenhoff wrote:
>>>
>>>> It is my understanding that this webmin vulnerabilitity was caused by
>>>> the generic format string flaw in perl. As we fixed perl in DSA-943
>> this
>>>> should be resolved. Can you confim, Jaldhar?
>>>>
>>> Yes I believe so. The big problem with the webmin packages is that I
>>> asked for them to be removed from the archive right around when that
>>> problem came up. (I wasn't properly maintaining them for a long time
>>> before, that's why I orphaned them.) So there hasn't been any
>>> responsible person chasing things like this down.
>> Jamie do you know if this bug is fixed in the newest webmin (or in the
>> webmin which is in the svn (1.150) ?
>>
>> Do you know the original email? If not i can forward it to you.
>
> Hi Patrick,
> This problem was fixed in the 1.260 version of Webmin, so anyone running
> 1.150 would be vulnerable and should upgrade (assuming they have logging
> via syslog enabled).
sorry i mean 1.250 but as you said it is not fixed in this version. okay
then we have to package 1.260 not longer 1.250. :S
This should be quite easy by copying the debian dir into the new source.
I will do this today or in the next days :)
(or is anybody else on this list able to do this, please? I have in one
week my final exams ;-) )
mfg
Patrick
>
> - Jamie
>
>
More information about the Webmin-maintainers
mailing list