| Summary: | webmin new XSS security issue in xmlrpc.cgi fixed upstream in 1.760 (CVE-2015-1990) | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | sysadmin-bugs, wilcal.int |
| Version: | 5 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | i586 | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/656990/ | ||
| Whiteboard: | MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | webmin-1.730-2.mga5.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2015-06-22 00:30:15 CEST
David Walser
2015-06-22 00:30:22 CEST
Whiteboard:
(none) =>
MGA4TOO This has been listed on upstream's security page with a CVE: http://www.webmin.com/security.html Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated webmin package fixes security vulnerability: A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site (CVE-2015-1990). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1990 http://www.webmin.com/changes.html http://www.webmin.com/security.html ======================== Updated packages in core/updates_testing: ======================== webmin-1.760-1.mga4 webmin-1.760-1.mga5 from SRPMS: webmin-1.760-1.mga4.src.rpm webmin-1.760-1.mga5.src.rpm Assignee:
bugsquad =>
qa-bugs In VirtualBox, M4, KDE, 32-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.140:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.140:10000/ CC:
(none) =>
wilcal.int In VirtualBox, M4, KDE, 64-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.142:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.142:10000/ In VirtualBox, M5, KDE, 32-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-2.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.143:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.143:10000/ Whiteboard:
MGA4TOO MGA4-32-OK =>
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK In VirtualBox, M5, KDE, 64-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-2.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.141:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.141:10000/ Whiteboard:
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK =>
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks Keywords:
(none) =>
validated_update Advisory uploaded. Whiteboard:
MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK =>
MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0344.html Status:
NEW =>
RESOLVED
David Walser
2015-09-09 19:51:00 CEST
URL:
(none) =>
http://lwn.net/Vulnerabilities/656990/ |