From ${URL} : I need to request 2 CVE's; one for Usermin and one for Webmin. Both of them are vulnerable to a hardlink arbitrary file access within the Read Mail Module. The end result is the ability to open any file on the server, including root owned files, which could lead to a privilege escalation. Reference: http://www.webmin.com/index.html "January 1: Webmin 1.730 and Usermin 1.640 released - This update includes security fixes to produce against malicious links in the Read Mail module..." @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Either someone volunteers for maintaining this (and taking care of bumping it soon enough for getting security bugs fixed) or this is treecleaned
removed
@Pacho, what exactly was removed here? Vulnerable versions are still in tree.
$ git commit -m "app-admin/usermin: remove masked for removal package (#537528)" Necesita una contraseña para desbloquear la clave secreta del usuario: "Pacho Ramos (pacho) <pacho@condmat1.ciencias.uniovi.es>" clave DSA de 1024 bits, ID A188FBD4, creada el 2009-07-21 [master 22d71b0] app-admin/usermin: remove masked for removal package (#537528) 8 files changed, 222 deletions(-) delete mode 100644 app-admin/usermin/Manifest delete mode 100644 app-admin/usermin/files/init.d.usermin delete mode 100644 app-admin/usermin/files/usermin-1.080-safestop.patch delete mode 100644 app-admin/usermin/files/usermin-1.150-setup-nocheck.patch delete mode 100644 app-admin/usermin/files/usermin-1.540-r1.init delete mode 100644 app-admin/usermin/files/usermin.pam-include.1 delete mode 100644 app-admin/usermin/metadata.xml delete mode 100644 app-admin/usermin/usermin-1.600.ebuild Looks like I forgot to finally commit it
Removed: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=22d71b0e5fd99e90d793daf129e5e8d2138be80a