Bug 30465

Summary: webmin new security issue CVE-2022-30708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: webmin-1.990-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-05-23 17:27:16 CEST 
Webmin 1.990 has been released on May 22, fixing a security issue:
https://www.webmin.com/security.html
https://www.webmin.com/changes.html

Advisory:
========================

Updated webmin package fixes security vulnerability:

Less privileged Webmin users (excluding those created by Virtualmin and
Cloudmin) can modify arbitrary files with root privileges, and so run commands
as root (CVE-2022-30708).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30708
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.993-1.mga8

from webmin-1.993-1.mga8.src.rpm
Comment 1 David Walser 2022-05-24 16:46:25 CEST 
Comment 0 should have said 1.994.

Updated package in core/updates_testing:
========================
webmin-1.994-1.mga8

from webmin-1.994-1.mga8.src.rpm
Comment 2 Herman Viaene 2022-06-01 14:15:04 CEST 
MGA8-64 Plasma on Lenovo B50 in Dutch.
No installation issues.
Checked System- Software package updates, lists 133 packages fof which new versions are available.
System- Users and groups:looks OK
Servers: checked that apache, mysql, postgres could be started and stopped, checked using systemctl
Tools: checked System and Server Status
Networking: checked Network Configuration, Network Utilities and Shorewall Firewall
All looks OK with valid and expected values.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2022-06-01 15:11:36 CEST 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-06-02 22:50:12 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 4 Mageia Robot 2022-06-03 19:16:25 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0216.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED