Bug 13013 - webmin new security issues fixed upstream in 1.680
: webmin new security issues fixed upstream in 1.680
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 4
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
: Sec team
: http://lwn.net/Vulnerabilities/590906/
: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32...
: validated_update
:
: 10713
  Show dependency treegraph
 
Reported: 2014-03-13 18:14 CET by David Walser
Modified: 2014-03-18 17:51 CET (History)
4 users (show)

See Also:
Source RPM: webmin-1.660-2.mga4.src.rpm
CVE:


Attachments

Description David Walser 2014-03-13 18:14:53 CET
Upstream has released version 1.680 today (March 13).

The official release announcement and changelog hasn't been posted yet.

Looking at the git commit log, it looks like there are multiple security fixes related to log viewing, including an XSS issue, and an issue that allows someone to view any file on the server system.  I'll post an advisory once the upstream changelog is available.

The Mageia 3 update will also fix the two issues reported in Bug 10713.

Updated packages in core/updates_testing:
========================
webmin-1.680-1.mga3
webmin-1.680-1.mga4

from SRPMS:
webmin-1.680-1.mga3.src.rpm
webmin-1.680-1.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
Comment 1 David Walser 2014-03-13 18:37:32 CET
Git commit log:
https://github.com/webmin/webmin/commits/master

Upstream changelog page:
http://www.webmin.com/changes.html
Comment 2 William Kenney 2014-03-14 14:54:55 CET
In VirtualBox, M3, KDE, 32-bit

Package(s) under test:
webmin

default install of package

[root@localhost wilcal]# urpmi webmin
Package webmin-1.620-3.mga3.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

install package from updates_testing

restart webmin

[root@localhost wilcal]# urpmi webmin
Package webmin-1.680-1.mga3.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 3 David Walser 2014-03-14 14:59:25 CET
The upstream changelog is posted.

Advisory:
========================

Updated webmin package fix security vulnerabilities:

Webmin has been updated to version 1.680, which fixes some security issues in
the PHP Configuration and Webalizer modules, as well as several other bugs.

References:
http://www.webmin.com/changes.html
Comment 4 William Kenney 2014-03-14 15:09:20 CET
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
webmin

default install of package

[root@localhost wilcal]# urpmi webmin
Package webmin-1.620-3.mga3.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

install package from updates_testing

restart webmin

[root@localhost wilcal]# urpmi webmin
Package webmin-1.680-1.mga3.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 5 William Kenney 2014-03-14 15:21:28 CET
In VirtualBox, M4, KDE, 32-bit

Package(s) under test:
webmin

default install of package

[root@localhost wilcal]# urpmi webmin
Package webmin-1.660-2.mga4.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

install package from updates_testing

restart webmin

[root@localhost wilcal]# urpmi webmin
Package webmin-1.680-1.mga4.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 6 William Kenney 2014-03-14 15:34:53 CET
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
webmin

default install of package

[root@localhost wilcal]# urpmi webmin
Package webmin-1.660-2.mga4.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

install package from updates_testing

restart webmin

[root@localhost wilcal]# urpmi webmin
Package webmin-1.680-1.mga4.noarch is already installed

Webmin opens at Port:10000. Data can be viewed,
configurations can be changed

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
VirtualBox 4.3.6-1.mga4.x86_64.rpm
Comment 7 William Kenney 2014-03-14 15:35:46 CET
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks
Comment 8 Rémi Verschelde 2014-03-14 23:04:09 CET
Advisory uploaded.
Comment 9 Thomas Backlund 2014-03-15 17:37:03 CET
Update pushed:
http://advisories.mageia.org/MGASA-2014-0132.html

Note You need to log in before you can comment on or make changes to this bug.