Your message dated Fri, 23 Sep 2005 19:17:06 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#329741: fixed in webmin 1.230-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Sep 2005 06:02:23 +0000
>From [EMAIL PROTECTED] Thu Sep 22 23:02:23 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de [213.9.79.162]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EIgdb-0006jz-00; Thu, 22 Sep 2005 23:02:23 -0700
Received: by box79162.elkhouse.de (Postfix, from userid 1000)
id 7B5291F8474; Fri, 23 Sep 2005 08:01:52 +0200 (CEST)
Date: Fri, 23 Sep 2005 08:01:52 +0200
From: Martin Pitt <[EMAIL PROTECTED]>
To: Debian BTS Submit <[EMAIL PROTECTED]>
Subject: webmin: [CAN-2005-3042] PAM Authentication Bypass Vulnerability
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="ZJcv+A0YCCLh2VIg"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--ZJcv+A0YCCLh2VIg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Package: webmin
Version: 1.220-1
Severity: critical
Tags: security
Hi!
Webmin has a security bug which allows PAM circumvention. Details at
http://archives.neohapsis.com/archives/bugtraq/2005-09/0257.html
This has been assigned CAN-2005-3042, please see
http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-3042
for more references.
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntulinux.org
Debian Developer http://www.debian.org
--ZJcv+A0YCCLh2VIg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDM5pQDecnbV4Fd/IRAkfeAKC2nCnsG8RjytME95cZGZ2+i3ZFMwCeIt2G
2d7PYy3Ooi8TxNEPS/92a+g=
=3CeS
-----END PGP SIGNATURE-----
--ZJcv+A0YCCLh2VIg--
---------------------------------------
Received: (at 329741-close) by bugs.debian.org; 24 Sep 2005 02:18:24 +0000
>From [EMAIL PROTECTED] Fri Sep 23 19:18:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EIzb8-0004ry-00; Fri, 23 Sep 2005 19:17:06 -0700
From: [EMAIL PROTECTED] (Jaldhar H. Vyas)
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#329741: fixed in webmin 1.230-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Fri, 23 Sep 2005 19:17:06 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: webmin
Source-Version: 1.230-1
We believe that the bug you reported is fixed in the latest version of
webmin, which is due to be installed in the Debian FTP archive:
webmin-core_1.230-1_all.deb
to pool/main/w/webmin/webmin-core_1.230-1_all.deb
webmin_1.230-1.diff.gz
to pool/main/w/webmin/webmin_1.230-1.diff.gz
webmin_1.230-1.dsc
to pool/main/w/webmin/webmin_1.230-1.dsc
webmin_1.230-1_all.deb
to pool/main/w/webmin/webmin_1.230-1_all.deb
webmin_1.230.orig.tar.gz
to pool/main/w/webmin/webmin_1.230.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jaldhar H. Vyas <[EMAIL PROTECTED]> (supplier of updated webmin package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Fri, 23 Sep 2005 21:36:41 -0400
Source: webmin
Binary: webmin-core webmin
Architecture: source all
Version: 1.230-1
Distribution: unstable
Urgency: high
Maintainer: Debian Webmin maintainers <[EMAIL PROTECTED]>
Changed-By: Jaldhar H. Vyas <[EMAIL PROTECTED]>
Description:
webmin - web-based administration toolkit
webmin-core - core modules for webmin
Closes: 329741
Changes:
webmin (1.230-1) unstable; urgency=high
.
* New upstream version.
* [SECURITY] CAN-2005-3042: miniserv.pl in versions before this one
when "full PAM conversations" is enabled, allowed remote attackers to
bypass authentication by spoofing session IDs via certain metacharacters
(line feed or carriage return). An immediate upgrade to this
version is advised. (Closes: #329741)
Files:
d6cc98f9067134491e844e64d58c572c 691 admin optional webmin_1.230-1.dsc
7dc97de282bfc30ff6d3d436b0763897 2415142 admin optional
webmin_1.230.orig.tar.gz
a155911e5aeb4511ed8021d443cb835f 30049 admin optional webmin_1.230-1.diff.gz
58eb89bf4322dcb32a3817cc5fdd4168 1182044 admin optional webmin_1.230-1_all.deb
42adb8c22c74cf39438f8cde11c3eb13 1195156 admin optional
webmin-core_1.230-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDNLQb2kYOR+5txmoRAl3NAJ96EwEBsGPXftCRkTFHPe8r19LvjQCgkNAv
t2nDhZC7KhhPg9tCWj1d5mE=
=ky6I
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
