Nessus Plugin #16449
Plugin Index
Note: This file has been created from a
downloaded version of the Nessus Plugins
from
http://www.nessus.org/.
Therefore, the information here can be outdated.
[GLSA-200502-12] Webmin: Information leak in Gentoo binary package
- Family:
- Gentoo Local Security Checks
- Category:
- infos
- Copyright:
- (C) 2005 Michel Arboi
- Summary:
- Webmin: Information leak in Gentoo binary package
- Version:
- $Revision: 1.2 $
- Cve_id:
- -
- Bugtraq_id:
- 12532
- Xrefs:
- GLSA:200502-12
- Description:
- The remote host is affected by the vulnerability described in GLSA-200502-12
(Webmin: Information leak in Gentoo binary package)
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered
that the Webmin ebuild contains a design flaw. It imports the encrypted
local root password into the miniserv.users file before building binary
packages that include this file.
Impact
A remote attacker could retrieve Portage-built Webmin binary
packages and recover the encrypted root password from the build host.
Workaround
Users who never built or shared a Webmin binary package are
unaffected by this.
Solution:
Webmin users should delete any old shared Webmin binary package as
soon as possible. They should also consider their buildhost root
password potentially exposed and follow proper audit procedures.
If you plan to build binary packages, you should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3"
Risk factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.