Bug 14951

Summary:	usermin, usermin-webmail new security issue fixed upstream in 1.640 (CVE-2015-1377)
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Mageia Bug Squad <bugsquad>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	dpremy
Version:	4
Target Milestone:	---
Hardware:	i586
OS:	Linux
Whiteboard:
Source RPM:	usermin, usermin-webmail	CVE:
Status comment:
Bug Depends on:	14931
Bug Blocks:

Description David Walser 2015-01-05 03:36:58 CET

+++ This bug was initially created as a clone of Bug #14931 +++

The release announcement and changelog for webmin 1.730 and usermin/usermin-webmail 1.640 have these statements, respectively:
"This update includes security fixes to produce against malicious links in the Read Mail module"
"All operations on user mailboxes are now performed with the permissions of the user, to prevent attacks using malicious symlinks."

Updates have been built for Mageia 4.

The webmin update was handled in Bug 14931.

For usermin and usermin-webmail, issues were found while testing the updates:
https://bugs.mageia.org/show_bug.cgi?id=14931#c3

This was the first attempt to update these packages, which have been unmaintained since they were imported into Mageia.  They need some more work.

David Walser 2015-01-05 03:41:02 CET

Source RPM: webmin, usermin, usermin-webmail => usermin, usermin-webmail

Comment 1 David Walser 2015-01-19 21:16:41 CET

CVE request:
http://openwall.com/lists/oss-security/2015/01/19/3

Comment 2 David Walser 2015-01-27 20:22:45 CET

CVE-2015-1377 has been assigned:
http://openwall.com/lists/oss-security/2015/01/27/16

Summary: usermin, usermin-webmail new security issue fixed upstream in 1.640 => usermin, usermin-webmail new security issue fixed upstream in 1.640 (CVE-2015-1377)

Comment 3 David Walser 2015-03-26 20:29:31 CET

The updates_testing builds have been updated to 1.650.

usermin-1.650-1.mga4
usermin-webmail-1.650-1.mga4

Comment 4 David Remy 2015-03-27 05:11:34 CET

Tested on mga4 32bit

Installed webmin-1.730-1.mga4 and usermin-1.500-4.mga4. Webmin was working on https://localhost:10000/ and usermin was not available on https://localhost:20000/, as expected.

Interestingly enough once I upgraded usermin-1.650-1.mga4 this switched, webmin on port 10000 was no longer available and usermin on 20000 was up and running. The install didn't show webmin being removed, however it seems to be.

sudo urpmi usermin-1.650-1.mga4
rsync://mirrors.kernel.org/mirrors/mageia/distrib/4/i586/media/core/updates_testing/usermin-1.650-1.mga4.noarch.rpm
installing usermin-1.650-1.mga4.noarch.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: usermin #############################################
1/1: removing usermin-1.500-4.mga4.noarch
#############################################

However removing usermin and then trying to install webmin, which should have been installed, it reinstalled webmin.

urpmi webmin
rsync://mirrors.kernel.org/mirrors/mageia/distrib/4/i586/media/core/updates/webmin-1.730-1.mga4.noarch.rpm
installing webmin-1.730-1.mga4.noarch.rpm from /var/cache/urpmi/rpms
Preparing... #############################################
1/1: webmin #############################################
webmin.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig --no-reload --no-redirect webmin on

This happened to when installing webmail. webmin was uninstalled and webmail came up on port 20000, but with errors.

quota::list_system_info failed : Undefined subroutine "a::user_filesystems called at /usr/share/usermin/quota/system_info.pl line 11.

Comment 5 David Walser 2015-09-02 17:36:31 CEST

With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it.  This package has been dropped and no longer exists in Mageia as of Mageia 5.  Closing this as OLD.

Resolution: (none) => OLD
Status: NEW => RESOLVED