Bug 30116

Summary: webmin new security issues CVE-2022-0824 and CVE-2022-0829
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: webmin-1.979-1.1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-03-04 19:13:45 CET 
Webmin 1.990 has been released on March 3, fixing two security issues:
https://www.webmin.com/security.html
https://www.webmin.com/changes.html

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Less privileged Webmin users who do not have any File Manager module
restrictions configured can access files with root privileges, if using the
default Authentic theme (CVE-2022-0824, CVE-2022-0829).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0829
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.990-1.mga8

from webmin-1.990-1.mga8.src.rpm
Comment 1 Herman Viaene 2022-03-05 20:19:54 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installattion issues.
Checked that webmin was running after installation:
# systemctl -l status webmin
● webmin.service - LSB: Webmin is a remote administration tool using web-browser
     Loaded: loaded (/etc/rc.d/init.d/webmin; generated)
     Active: active (running) since Sat 2022-03-05 19:58:33 CET; 3min 29s ago
       Docs: man:systemd-sysv-generator(8)
   Main PID: 5643 (miniserv.pl)
      Tasks: 1 (limit: 9397)
     Memory: 26.3M
        CPU: 3.643s
     CGroup: /system.slice/webmin.service
             └─5643 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

mrt 05 19:58:30 mach5.hviaene.thuis systemd[1]: Starting LSB: Webmin is a remote administration tool using web-browser...
mrt 05 19:58:30 mach5.hviaene.thuis webmin[5633]: Starting Webmin
mrt 05 19:58:30 mach5.hviaene.thuis webmin[5639]: Starting Webmin server in /usr/share/webmin
mrt 05 19:58:31 mach5.hviaene.thuis perl[5639]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root
mrt 05 19:58:33 mach5.hviaene.thuis webmin[5639]: Webmin starting
mrt 05 19:58:33 mach5.hviaene.thuis systemd[1]: Started LSB: Webmin is a remote administration tool using web-browser.
mrt 05 19:58:39 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/webmin.service:22: PIDFile= references a path below legacy directory /var/run/, updating /var/run/webmin/miniserv.pid → /run/webmin/mini>

Pointed browser to https://localhost:10000/
and opened different modules in the sections System (running processes), Servers (Apache (stopped and started it),Maria DB (opened one and checked presence of tables), Samba), Tools (System and Server status), Networking (Firewall), Hardware (Partitions on local disk, Printer administration).
All opened OK with sensible info.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2022-03-06 21:41:22 CET 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-07 20:58:43 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2022-03-08 00:11:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0090.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED