Package: webmin Version: 0.94-7woody3 Severity: grave Tags: security Justification: user security hole
I installed webmin on two systems, both installations had the same SSL Certificate fingerprint. As each install appears to use same key it may be possible for a man in the middle to decrypt administrative traffic, recover passwords and hijack sessions. See http://xforce.iss.net/xforce/xfdb/10381 There may well be a workaround, however i have been unable to find one. -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux nahanni 2.4.26-linode32-2um #1 Mon Aug 2 17:53:57 EDT 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages webmin depends on: ii debconf 1.0.32 Debian configuration management sy ii libauthen-pam-perl 0.12-2 This module provides a Perl interf ii libnet-ssleay-perl 1.08-1.1 Perl module for Secure Sockets Lay ii perl 5.6.1-8.7 Larry Wall's Practical Extraction
