> > Does this affect us? > > > > (1) HIGH: Perl Format String Vulnerability > > Affected: > > Perl versions 5.9.2 and 5.8.6 confirmed; potentially all Perl versions > > Webmin version 1.23 and prior > > > > Description: Perl is widely used as a scripting language for a variety > > of applications including web-based software. Perl contains a > > vulnerability that can be triggered by passing a format specifier of the > > form "%INT_MAXn". The vulnerability causes an integer variable in a Perl > > function to wrap around (change its parity) that can be exploited to > > execute arbitrary code. For instance, "%2147483647n" format specifier > > will trigger the flaw in Perl running on 32-bit Operating Systems. Note > > that the flaw can be exploited only via Perl-based applications that > > contain a format string vulnerability. The discoverers have reportedly > > found several applications that are vulnerable. > > <<snip>> > > We are indeed vulnerable to this. As Pavel Kankovsky pointed out, > RHL 7.3 is not likely vulnerable. But RHL 9, FC1 & FC2 appear to be > vulnerable to this. This affects webmin as well, but we do not support > webmin. If you are running Webmin version 1.240 or older (and have logging via syslog enabled), then this affects you. Webmin version 1.250 has been out for a while which fixes this, so just upgrade. http://www.webmin.com Michael. -- fedora-legacy-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-legacy-list
