Support / Security / Advisories / Corporate Server 3.0 / MDKSA-2006:125

Package name: webmin
Date: 2006-07-18
Advisory ID: MDKSA-2006:125
Affected versions: CS3.0 i586 , 2006.0 i586 , 2006.0 x86_64 , CS3.0 x86_64

Problem description

Webmin before 1.290 and Usermin before 1.220 calls the simplify_path
function before decoding HTML, which allows remote attackers to read
arbitrary files. NOTE: This is a different issue than CVE-2006-3274.

Updated packages have been patched to correct this issue.

Updated packages

CS3.0 i586

 9c95b1373fe69a80ebfe6262921fcc52  corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm
 fc39f0e98dc5dcece871c18f7a1f3e09  corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm

2006.0 i586

 b389424c7b84f96e37c0db9dcb3e9b01  2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm
 eb4ea546b5d8a4a8401ddba2eee04aea  2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm

2006.0 x86_64

 b389424c7b84f96e37c0db9dcb3e9b01  x86_64/2006.0/RPMS/webmin-1.220-9.4.20060mdk.noarch.rpm
 eb4ea546b5d8a4a8401ddba2eee04aea  x86_64/2006.0/SRPMS/webmin-1.220-9.4.20060mdk.src.rpm

CS3.0 x86_64

 9c95b1373fe69a80ebfe6262921fcc52  x86_64/corporate/3.0/RPMS/webmin-1.121-4.6.C30mdk.noarch.rpm
 fc39f0e98dc5dcece871c18f7a1f3e09  x86_64/corporate/3.0/SRPMS/webmin-1.121-4.6.C30mdk.src.rpm

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3392