Debian: webmin insecure temporary directory

    Date14 Sep 2004
    CategoryDebian
    2851
    Posted ByLinuxSecurity Advisories
    Ludwig Nussel discovered a problem in webmin, a web-basedadministration toolkit. A temporary directory was used but withoutchecking for the previous owner. This could allow an attacker tocreate the directory and place dangerous symbolic links inside.
    
    --------------------------------------------------------------------------
    Debian Security Advisory DSA 544-1                     This email address is being protected from spambots. You need JavaScript enabled to view it. 
    http://www.debian.org/security/                             Martin Schulze
    September 14th, 2004                     http://www.debian.org/security/faq
    --------------------------------------------------------------------------
    
    Package        : webmin
    Vulnerability  : insecure temporary directory
    Problem-Type   : root
    Debian-specific: no
    CVE ID         : CAN-2004-0559
    
    Ludwig Nussel discovered a problem in webmin, a web-based
    administration toolkit.  A temporary directory was used but without
    checking for the previous owner.  This could allow an attacker to
    create the directory and place dangerous symbolic links inside.
    
    For the stable distribution (woody) this problem has been fixed in
    version 0.94-7woody3.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 1.160-1 of webmin and 1.090-1 of usermin.
    
    We recommend that you upgrade your webmin packages.
    
    
    Upgrade Instructions
    --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    
    Debian GNU/Linux 3.0 alias woody
    --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.dsc
          Size/MD5 checksum:     1126 fc3cda806f5d94666cdc2cdac03e2c75
         http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3.diff.gz
          Size/MD5 checksum:    63028 64e3c4f454a1d576a4c52df29554309b
         http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94.orig.tar.gz
          Size/MD5 checksum:  4831737 114c7ca2557c17faebb627a3de7acb97
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/w/webmin/webmin-apache_0.94-7woody3_all.deb
          Size/MD5 checksum:   223812 12f056498c3ace868c1964ef2d9594b1
         http://security.debian.org/pool/updates/main/w/webmin/webmin-bind8_0.94-7woody3_all.deb
          Size/MD5 checksum:   182144 29ff6c45d83b13a482ef93d2ae8c7e3f
         http://security.debian.org/pool/updates/main/w/webmin/webmin-burner_0.94-7woody3_all.deb
          Size/MD5 checksum:    32688 4482f474e97ca209348a86e51c02a92b
         http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-software_0.94-7woody3_all.deb
          Size/MD5 checksum:    27688 6375d52cdd6f79d7f2e1b2e2d5d9bd6c
         http://security.debian.org/pool/updates/main/w/webmin/webmin-cluster-useradmin_0.94-7woody3_all.deb
          Size/MD5 checksum:    30790 157df9a37fa88cb7f4de6421c43d1f16
         http://security.debian.org/pool/updates/main/w/webmin/webmin-core_0.94-7woody3_all.deb
          Size/MD5 checksum:  1250120 f5fd9854a550095c27ab1c88254804e4
         http://security.debian.org/pool/updates/main/w/webmin/webmin-cpan_0.94-7woody3_all.deb
          Size/MD5 checksum:    26596 a4bc52ed84091eb648c399547b181ad3
         http://security.debian.org/pool/updates/main/w/webmin/webmin-dhcpd_0.94-7woody3_all.deb
          Size/MD5 checksum:    96632 36f8e9ed58c3f3f67146c0f3e5074d29
         http://security.debian.org/pool/updates/main/w/webmin/webmin-exports_0.94-7woody3_all.deb
          Size/MD5 checksum:    54808 9e9119bc090c28d5119daec9bf654f62
         http://security.debian.org/pool/updates/main/w/webmin/webmin-fetchmail_0.94-7woody3_all.deb
          Size/MD5 checksum:    27354 294e18b992f187865f85b2fc0d0abf80
         http://security.debian.org/pool/updates/main/w/webmin/webmin-heartbeat_0.94-7woody3_all.deb
          Size/MD5 checksum:    21776 f58063b055e6e0b429f15f1c9c578d2f
         http://security.debian.org/pool/updates/main/w/webmin/webmin-inetd_0.94-7woody3_all.deb
          Size/MD5 checksum:    48056 1db1b493a9088de2134891d5f0a9d23c
         http://security.debian.org/pool/updates/main/w/webmin/webmin-jabber_0.94-7woody3_all.deb
          Size/MD5 checksum:    31468 65d7199bd25d1f62ff376c0ad7e78a97
         http://security.debian.org/pool/updates/main/w/webmin/webmin-lpadmin_0.94-7woody3_all.deb
          Size/MD5 checksum:   103788 1920d9302034a175a6d3b00ca6f5dcf6
         http://security.debian.org/pool/updates/main/w/webmin/webmin-mon_0.94-7woody3_all.deb
          Size/MD5 checksum:    62498 ee4befa8d564ddb45b38643a62c61cfb
         http://security.debian.org/pool/updates/main/w/webmin/webmin-mysql_0.94-7woody3_all.deb
          Size/MD5 checksum:   119200 60eefbffc7c1a8a30807623b2fb078e4
         http://security.debian.org/pool/updates/main/w/webmin/webmin-nis_0.94-7woody3_all.deb
          Size/MD5 checksum:    62634 16ebd24ca1d45a7f3e76361fa5bda345
         http://security.debian.org/pool/updates/main/w/webmin/webmin-postfix_0.94-7woody3_all.deb
          Size/MD5 checksum:   196726 4d671bfbd3e1e2c8d6b3f9c8ecf93e3a
         http://security.debian.org/pool/updates/main/w/webmin/webmin-postgresql_0.94-7woody3_all.deb
          Size/MD5 checksum:    77564 f0b30ff5b2e01e9aa1e358f2a517e92a
         http://security.debian.org/pool/updates/main/w/webmin/webmin-ppp_0.94-7woody3_all.deb
          Size/MD5 checksum:    20840 8a7057272358f236075ae24aae4dfd9c
         http://security.debian.org/pool/updates/main/w/webmin/webmin-qmailadmin_0.94-7woody3_all.deb
          Size/MD5 checksum:    38028 4a8ef1a18d7d526f061e2924b83e238d
         http://security.debian.org/pool/updates/main/w/webmin/webmin-quota_0.94-7woody3_all.deb
          Size/MD5 checksum:    87994 bc7ec88cc7cf4556f8554d26b44063d3
         http://security.debian.org/pool/updates/main/w/webmin/webmin-raid_0.94-7woody3_all.deb
          Size/MD5 checksum:    35802 ec1761610e6a141705505abc407b5690
         http://security.debian.org/pool/updates/main/w/webmin/webmin-samba_0.94-7woody3_all.deb
          Size/MD5 checksum:   134254 bc70638898d2201d974cbeede4488a02
         http://security.debian.org/pool/updates/main/w/webmin/webmin-sendmail_0.94-7woody3_all.deb
          Size/MD5 checksum:   235266 362bdada21f7c9d6868b4b103593cb86
         http://security.debian.org/pool/updates/main/w/webmin/webmin-software_0.94-7woody3_all.deb
          Size/MD5 checksum:    89332 500a31253b2c7aa207dda9a301b8c325
         http://security.debian.org/pool/updates/main/w/webmin/webmin-squid_0.94-7woody3_all.deb
          Size/MD5 checksum:   222044 e6a595f8db937ded962582354a6a19f2
         http://security.debian.org/pool/updates/main/w/webmin/webmin-sshd_0.94-7woody3_all.deb
          Size/MD5 checksum:    44286 2b20ed27175c52318c937c3e14b7b0e0
         http://security.debian.org/pool/updates/main/w/webmin/webmin-ssl_0.94-7woody3_all.deb
          Size/MD5 checksum:     8524 3c50958c006ef46ccd1d6791dd6907d6
         http://security.debian.org/pool/updates/main/w/webmin/webmin-status_0.94-7woody3_all.deb
          Size/MD5 checksum:    42984 cc008a5c0670c1e2ccb3b63f841ebef6
         http://security.debian.org/pool/updates/main/w/webmin/webmin-stunnel_0.94-7woody3_all.deb
          Size/MD5 checksum:    26804 746be5ce521801c283f2e926621942aa
         http://security.debian.org/pool/updates/main/w/webmin/webmin-wuftpd_0.94-7woody3_all.deb
          Size/MD5 checksum:   111026 7e02060c23b92d5edc175b6cfa7b2f1b
         http://security.debian.org/pool/updates/main/w/webmin/webmin-xinetd_0.94-7woody3_all.deb
          Size/MD5 checksum:    31964 1e35a18332a9f6e753daee5e0157e362
         http://security.debian.org/pool/updates/main/w/webmin/webmin_0.94-7woody3_all.deb
          Size/MD5 checksum:   509128 c24ae0eb379dcdfecb2b4ac2de7351fa
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/w/webmin/webmin-grub_0.94-7woody3_i386.deb
          Size/MD5 checksum:    29546 8fb9582004e9cdaa63fc97f0325ef2a8
    
    
      These files will probably be moved into the stable distribution on
      its next update.
    
    ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"40","type":"x","order":"1","pct":48.78,"resources":[]},{"id":"88","title":"Should be more technical","votes":"13","type":"x","order":"2","pct":15.85,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"29","type":"x","order":"3","pct":35.37,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.