|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200502-12] Webmin: Information leak in Gentoo binary package Vulnerability Scan
Vulnerability Scan Summary
Webmin: Information leak in Gentoo binary package
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200502-12
(Webmin: Information leak in Gentoo binary package)
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered
that the Webmin ebuild contains a design flaw. It imports the encrypted
local root password into the miniserv.users file before building binary
packages that include this file.
Impact
A remote attacker could retrieve Portage-built Webmin binary
packages and recover the encrypted root password from the build host.
Workaround
Users who never built or shared a Webmin binary package are
unaffected by this.
Solution:
Webmin users should delete any old shared Webmin binary package as
soon as possible. They should also consider their buildhost root
password potentially exposed and follow proper audit procedures.
If you plan to build binary packages, you should upgrade to the
latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|
