| Summary: | app-admin/usermin: Read Mail Module Vulnerability | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | maintainer-needed, treecleaner |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2015/01/19/3 | ||
| Whiteboard: | ~4 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
Either someone volunteers for maintaining this (and taking care of bumping it soon enough for getting security bugs fixed) or this is treecleaned removed @Pacho, what exactly was removed here? Vulnerable versions are still in tree. $ git commit -m "app-admin/usermin: remove masked for removal package (#537528)" Necesita una contraseƱa para desbloquear la clave secreta del usuario: "Pacho Ramos (pacho) <pacho@condmat1.ciencias.uniovi.es>" clave DSA de 1024 bits, ID A188FBD4, creada el 2009-07-21 [master 22d71b0] app-admin/usermin: remove masked for removal package (#537528) 8 files changed, 222 deletions(-) delete mode 100644 app-admin/usermin/Manifest delete mode 100644 app-admin/usermin/files/init.d.usermin delete mode 100644 app-admin/usermin/files/usermin-1.080-safestop.patch delete mode 100644 app-admin/usermin/files/usermin-1.150-setup-nocheck.patch delete mode 100644 app-admin/usermin/files/usermin-1.540-r1.init delete mode 100644 app-admin/usermin/files/usermin.pam-include.1 delete mode 100644 app-admin/usermin/metadata.xml delete mode 100644 app-admin/usermin/usermin-1.600.ebuild Looks like I forgot to finally commit it |
From ${URL} : I need to request 2 CVE's; one for Usermin and one for Webmin. Both of them are vulnerable to a hardlink arbitrary file access within the Read Mail Module. The end result is the ability to open any file on the server, including root owned files, which could lead to a privilege escalation. Reference: http://www.webmin.com/index.html "January 1: Webmin 1.730 and Usermin 1.640 released - This update includes security fixes to produce against malicious links in the Read Mail module..." @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.