http://www.dyadsecurity.com/webmin-0001.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341394
If this is considered a possible remote root compromise, the spampd bug I reported a while ago to [EMAIL PROTECTED] (see also bug #332259) is also a possible remote compromise (though not root compromise as spampd runs as non-root). The current spampd package in stable also uses the same syslog() function as webmin does, with a user supplied value in the format string. I prepared the package as good as I could with my present knowledge and uploaded it to my server at: https://mail.incase.de/spampd/sarge-security/ If you still think that this is not really a security issue, please include include the fixed package in the next stable update. regards, Sven PS: Martin: A new upstream version with the bug fixed is packaged and available at https://mail.incase.de/spampd/sid/ - would be nice of you if you could upload it.
signature.asc
Description: OpenPGP digital signature
