Nessus Plugin #16449

Plugin Index

Note: This file has been created from a downloaded version of the Nessus Plugins from http://www.nessus.org/. Therefore, the information here can be outdated.

[GLSA-200502-12] Webmin: Information leak in Gentoo binary package

Family:
Gentoo Local Security Checks
Category:
infos
Copyright:
(C) 2005 Michel Arboi
Summary:
Webmin: Information leak in Gentoo binary package
Version:
$Revision: 1.2 $
Cve_id:
-
Bugtraq_id:
12532
Xrefs:
GLSA:200502-12
Description:
The remote host is affected by the vulnerability described in GLSA-200502-12
(Webmin: Information leak in Gentoo binary package)


Tavis Ormandy of the Gentoo Linux Security Audit Team discovered
that the Webmin ebuild contains a design flaw. It imports the encrypted
local root password into the miniserv.users file before building binary
packages that include this file.

Impact

A remote attacker could retrieve Portage-built Webmin binary
packages and recover the encrypted root password from the build host.

Workaround

Users who never built or shared a Webmin binary package are
unaffected by this.


Solution:
Webmin users should delete any old shared Webmin binary package as
soon as possible. They should also consider their buildhost root
password potentially exposed and follow proper audit procedures.
If you plan to build binary packages, you should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3"


Risk factor : Medium
Generiert am 27.04.2005 um 18:49:54 Uhr.