-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:062 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : webmin Date : March 17, 2014 Affected: Business Server 1.0, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities was discovered and corrected in webmin: Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact Webmin versions prior to 1.620 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, SA51201). The 1.680 version fixed security issues that could be exploited by un-trusted Webmin users in the PHP Configuration and Webalizer modules. The Authen::Libwrap perl module used by Webmin is also being provided. The updated packages have been upgraded to the 1.680 version which is not vulnerable to these issues. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0125 http://advisories.mageia.org/MGASA-2014-0132.html http://www.webmin.com/changes.html _______________________________________________________________________ Updated Packages: Mandriva Enterprise Server 5: b76972171f63033b2f329e6490976419 mes5/i586/perl-Authen-Libwrap-0.22-0.1mdvmes5.2.i586.rpm ac443c2645558464be805b492db9baeb mes5/i586/webmin-1.680-0.1mdvmes5.2.noarch.rpm 4b77afd5678423a573747acd179fa239 mes5/SRPMS/perl-Authen-Libwrap-0.22-0.1mdvmes5.2.src.rpm cd4fb9d6f928dc92f5430ec9a085620e mes5/SRPMS/webmin-1.680-0.1mdvmes5.2.src.rpm Mandriva Enterprise Server 5/X86_64: c3caa33d699773dc6e425c6363c6df8f mes5/x86_64/perl-Authen-Libwrap-0.22-0.1mdvmes5.2.x86_64.rpm 11118140d6c7b10d0d09daeb3e31991b mes5/x86_64/webmin-1.680-0.1mdvmes5.2.noarch.rpm 4b77afd5678423a573747acd179fa239 mes5/SRPMS/perl-Authen-Libwrap-0.22-0.1mdvmes5.2.src.rpm cd4fb9d6f928dc92f5430ec9a085620e mes5/SRPMS/webmin-1.680-0.1mdvmes5.2.src.rpm Mandriva Business Server 1/X86_64: 9c2db8945efb78cb14b62bf684c3ac8a mbs1/x86_64/perl-Authen-Libwrap-0.220.0-2.mbs1.x86_64.rpm fbf3cbaf7c38211734c7e194478266a4 mbs1/x86_64/webmin-1.680-1.mbs1.noarch.rpm 9ab9a3275bfc6c78087d948d9d6dd499 mbs1/SRPMS/perl-Authen-Libwrap-0.220.0-2.mbs1.src.rpm c1b87681dfd413012e0867c8109629ac mbs1/SRPMS/webmin-1.680-1.mbs1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/en/support/security/advisories/ If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team <security*mandriva.com> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFTJuP1mqjQ0CJFipgRAhC+AJ9DRGJv63JJDYj1aOq2dGQ4gYtsJwCgl4VQ E51kan9dXAlHxnPVzflibaY= =MQUx -----END PGP SIGNATURE-----
