[Webmin-maintainers] Bug#329741: marked as done (webmin: [CAN-2005-3042] PAM Authentication Bypass Vulnerability)

Debian Bug Tracking System owner at bugs.debian.org
Sat Sep 24 02:33:09 UTC 2005 

Your message dated Fri, 23 Sep 2005 19:17:06 -0700
with message-id <E1EIzb8-0004ry-00 at spohr.debian.org>
and subject line Bug#329741: fixed in webmin 1.230-1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 23 Sep 2005 06:02:23 +0000
>From martin at box79162.elkhouse.de Thu Sep 22 23:02:23 2005
Return-path: <martin at box79162.elkhouse.de>
Received: from box79162.elkhouse.de [213.9.79.162] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EIgdb-0006jz-00; Thu, 22 Sep 2005 23:02:23 -0700
Received: by box79162.elkhouse.de (Postfix, from userid 1000)
	id 7B5291F8474; Fri, 23 Sep 2005 08:01:52 +0200 (CEST)
Date: Fri, 23 Sep 2005 08:01:52 +0200
From: Martin Pitt <martin.pitt at canonical.com>
To: Debian BTS Submit <submit at bugs.debian.org>
Subject: webmin: [CAN-2005-3042] PAM Authentication Bypass Vulnerability
Message-ID: <20050923060152.GG11259 at box79162.elkhouse.de>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="ZJcv+A0YCCLh2VIg"
Content-Disposition: inline
User-Agent: Mutt/1.5.9i
Delivered-To: submit at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02


--ZJcv+A0YCCLh2VIg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: webmin
Version: 1.220-1
Severity: critical
Tags: security

Hi!

Webmin has a security bug which allows PAM circumvention. Details at

  http://archives.neohapsis.com/archives/bugtraq/2005-09/0257.html

This has been assigned CAN-2005-3042, please see

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCAN-2005-3042

for more references.

Thanks,

Martin

--=20
Martin Pitt              http://www.piware.de
Ubuntu Developer   http://www.ubuntulinux.org
Debian Developer        http://www.debian.org

--ZJcv+A0YCCLh2VIg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDM5pQDecnbV4Fd/IRAkfeAKC2nCnsG8RjytME95cZGZ2+i3ZFMwCeIt2G
2d7PYy3Ooi8TxNEPS/92a+g=
=3CeS
-----END PGP SIGNATURE-----

--ZJcv+A0YCCLh2VIg--

---------------------------------------
Received: (at 329741-close) by bugs.debian.org; 24 Sep 2005 02:18:24 +0000
>From katie at spohr.debian.org Fri Sep 23 19:18:24 2005
Return-path: <katie at spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1EIzb8-0004ry-00; Fri, 23 Sep 2005 19:17:06 -0700
From: jaldhar at debian.org (Jaldhar H. Vyas)
To: 329741-close at bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#329741: fixed in webmin 1.230-1
Message-Id: <E1EIzb8-0004ry-00 at spohr.debian.org>
Sender: Archive Administrator <katie at spohr.debian.org>
Date: Fri, 23 Sep 2005 19:17:06 -0700
Delivered-To: 329741-close at bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: webmin
Source-Version: 1.230-1

We believe that the bug you reported is fixed in the latest version of
webmin, which is due to be installed in the Debian FTP archive:

webmin-core_1.230-1_all.deb
  to pool/main/w/webmin/webmin-core_1.230-1_all.deb
webmin_1.230-1.diff.gz
  to pool/main/w/webmin/webmin_1.230-1.diff.gz
webmin_1.230-1.dsc
  to pool/main/w/webmin/webmin_1.230-1.dsc
webmin_1.230-1_all.deb
  to pool/main/w/webmin/webmin_1.230-1_all.deb
webmin_1.230.orig.tar.gz
  to pool/main/w/webmin/webmin_1.230.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 329741 at bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jaldhar H. Vyas <jaldhar at debian.org> (supplier of updated webmin package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster at debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Fri, 23 Sep 2005 21:36:41 -0400
Source: webmin
Binary: webmin-core webmin
Architecture: source all
Version: 1.230-1
Distribution: unstable
Urgency: high
Maintainer: Debian Webmin maintainers <webmin-maintainers at lists.alioth.debian.org>
Changed-By: Jaldhar H. Vyas <jaldhar at debian.org>
Description: 
 webmin     - web-based administration toolkit
 webmin-core - core modules for webmin
Closes: 329741
Changes: 
 webmin (1.230-1) unstable; urgency=high
 .
   * New upstream version.
   * [SECURITY] CAN-2005-3042: miniserv.pl in versions before this one
     when "full PAM conversations" is enabled, allowed remote attackers to
     bypass authentication by spoofing session IDs via certain metacharacters
     (line feed or carriage return).  An immediate upgrade to this
     version is advised.  (Closes: #329741)
Files: 
 d6cc98f9067134491e844e64d58c572c 691 admin optional webmin_1.230-1.dsc
 7dc97de282bfc30ff6d3d436b0763897 2415142 admin optional webmin_1.230.orig.tar.gz
 a155911e5aeb4511ed8021d443cb835f 30049 admin optional webmin_1.230-1.diff.gz
 58eb89bf4322dcb32a3817cc5fdd4168 1182044 admin optional webmin_1.230-1_all.deb
 42adb8c22c74cf39438f8cde11c3eb13 1195156 admin optional webmin-core_1.230-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDNLQb2kYOR+5txmoRAl3NAJ96EwEBsGPXftCRkTFHPe8r19LvjQCgkNAv
t2nDhZC7KhhPg9tCWj1d5mE=
=ky6I
-----END PGP SIGNATURE-----

More information about the Webmin-maintainers mailing list