Your message dated Fri, 23 May 2008 17:51:02 +0100
with message-id <[EMAIL PROTECTED]>
and subject line webmin has been removed from Debian, closing #381537
has caused the Debian Bug report #381537,
regarding CVE-2006-3392: Arbitrary file disclosure in webmin
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
381537: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=381537
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
--- Begin Message ---
Package: webmin
Version: 1.180-3
Severity: grave
Tags: security
Justification: user security hole
CVE-2006-3392 reads:
Webmin before 1.290 and Usermin before 1.220 calls the simplify_path
function before decoding HTML, which allows remote attackers to read
arbitrary files, as demonstrated using "..%01" sequences, which bypass
the removal of "../" sequences before bytes such as "%01" are removed
from the filename. NOTE: This is a different issue than
CVE-2006-3274.
--- End Message ---
--- Begin Message ---
Version: 1.230-1+rm
The webmin package has been removed from Debian testing, unstable and
experimental, so I am now closing the bugs that were still opened
against it.
For more information about this package's removal, read
http://bugs.debian.org/343897 . That bug might give the reasons why
this package was removed, and suggestions of possible replacements.
Don't hesitate to reply to this mail if you have any question.
Thank you for your contribution to Debian.
--
Marco Rodrigues
http://Marco.Tondela.org
--- End Message ---
