=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN603
_____________________________________________________________________

DATE                      : 10/10/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running webmin.

======================================================================

  _______________________________________________________________________

                 Mandriva Linux Security Update Advisory
  _______________________________________________________________________

  Package name:           webmin
  Advisory ID:            MDKSA-2005:176
  Date:                   October 7th, 2005

  Affected versions:	 2006.0
  ______________________________________________________________________

  Problem Description:

  Miniserv.pl in Webmin 1.220, when "full PAM conversations" is enabled,
  allows remote attackers to bypass authentication by spoofing session
  IDs via certain metacharacters (line feed or carriage return).

  The updated packages have been patched to correct this issues.
  _______________________________________________________________________

  References:

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3042
  ______________________________________________________________________

  Updated Packages:

  Mandrivalinux 2006.0:
  a848ccbf6344438775ec1304879aef4d  2006.0/RPMS/webmin-1.220-9.1.20060mdk.noarch.rpm
  bd414e303f86c49a7544a9b8bb99d4a9  2006.0/SRPMS/webmin-1.220-9.1.20060mdk.src.rpm

  Mandrivalinux 2006.0/X86_64:
  c9aa3f93679c4aa22d0d56843315bb13  x86_64/2006.0/RPMS/webmin-1.220-9.1.20060mdk.noarch.rpm
  bd414e303f86c49a7544a9b8bb99d4a9  x86_64/2006.0/SRPMS/webmin-1.220-9.1.20060mdk.src.rpm
  _______________________________________________________________________

  To upgrade automatically use MandrakeUpdate or urpmi.  The verification
  of md5 checksums and GPG signatures is performed automatically for you.

  All packages are signed by Mandriva for security.  You can obtain the
  GPG public key of the Mandriva Security Team by executing:

   gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

  You can view other update advisories for Mandriva Linux at:

   http://www.mandriva.com/security/advisories

  If you want to report vulnerabilities, please contact

   security_(at)_mandriva.com
  _______________________________________________________________________

  Type Bits/KeyID     Date       User ID
  pub  1024D/22458A98 2000-07-10 Mandriva Security Team
   <security*mandriva.com>

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================