Bug 20085

Summary: webmin new security issue fixed upstream in 1.801
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: herman.viaene, lewyssmith, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: https://lwn.net/Vulnerabilities/711587/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Source RPM: webmin-1.760-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2017-01-08 02:29:57 CET 
The webmin site says that a security issue in the Authentic theme was fixed in 1.801 (and possibly 1.810):
http://www.webmin.com/
http://www.webmin.com/changes.html

Update to 1.831 checked into Mageia 5 SVN (pending freeze push in Cauldron).
Comment 1 David Walser 2017-01-08 16:03:08 CET 
Advisory:
========================

Updated webmin package fixes security vulnerability:

The webmin package has been updated to version 1.831, fixing possible security
issues in the Authentic theme (fixed in 1.801 and/or 1.810), and containing
several other bug fixes and enhancements.  See the upstream release
announcements and change log for details.

References:
http://www.webmin.com/
http://www.webmin.com/changes.html
========================

Updated packages in core/updates_testing:
========================
webmin-1.831-1.mga5

from webmin-1.831-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2017-01-10 11:58:17 CET 
MGA5-32 on AcerD620 Xfce
No installation issues
A CLI I got
$ webmin 
Starting webmin (via systemctl):                                                                    [  OK  ]
Installation problem. Please reinstall.

Started webmin from https://localhost:10000/ and could login . Used it to look at System modules, mysql and apache server. All looks well.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-01-11 10:19:16 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 3 Lewis Smith 2017-01-11 11:57:18 CET 
Testing Mageia 5 x64

BEFORE the update: webmin-1.760-1.mga5
 # webmin
 Starting webmin (via systemctl):                              [ OK ]
 Launching `/usr/bin/www-browser' with param `https://localhost:10000/'

was not immediately successful. It launched Firefox which complained on several fronts: first that it had not been used for some time - untrue! - and wanting to refresh itself; mystery. Then "Your connection is not safe" "The owner of localhost has configured its website incorrectly. To prevent your details from being stolen, Firefox has not connected to the website".
'Advanced' shows:
"localhost:10000 uses an invalid security certificate.
The certificate is not trusted because it is self-signed. The certificate is only valid for *
Error code: SEC_ERROR_UNKNOWN_ISSUER"

With trepidation for the future, hoping it will not have wider implications, I permitted this exception (as invited to), and ended up with the Webmin login screen. What to enter? Normal user/PW failed, 'root'/PW worked. The entry screen showed "Webmin version 1.831 is now available, but you are running version 1.760." and looked complete. Logged out, closed Firefox.

AFTER update: webmin-1.831-1.mga5
 https://localhost:10000/
immediately showed the login screen. Logged in as root, added a new user to see & do everything, used that to look around. Impressive application!

Update OK, validating, advisoried already.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-01-13 11:33:08 CET 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-01-15 00:05:08 CET

URL: (none) => https://lwn.net/Vulnerabilities/711587/