Upstream has released version 1.680 today (March 13). The official release announcement and changelog hasn't been posted yet. Looking at the git commit log, it looks like there are multiple security fixes related to log viewing, including an XSS issue, and an issue that allows someone to view any file on the server system. I'll post an advisory once the upstream changelog is available. The Mageia 3 update will also fix the two issues reported in Bug 10713. Updated packages in core/updates_testing: ======================== webmin-1.680-1.mga3 webmin-1.680-1.mga4 from SRPMS: webmin-1.680-1.mga3.src.rpm webmin-1.680-1.mga4.src.rpm Reproducible: Steps to Reproduce:
Blocks: (none) => 10713Whiteboard: (none) => MGA3TOO
Git commit log: https://github.com/webmin/webmin/commits/master Upstream changelog page: http://www.webmin.com/changes.html
In VirtualBox, M3, KDE, 32-bit Package(s) under test: webmin default install of package [root@localhost wilcal]# urpmi webmin Package webmin-1.620-3.mga3.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed install package from updates_testing restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.680-1.mga3.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
CC: (none) => wilcal.intWhiteboard: MGA3TOO => MGA3TOO MGA3-32-OK
The upstream changelog is posted. Advisory: ======================== Updated webmin package fix security vulnerabilities: Webmin has been updated to version 1.680, which fixes some security issues in the PHP Configuration and Webalizer modules, as well as several other bugs. References: http://www.webmin.com/changes.html
In VirtualBox, M3, KDE, 64-bit Package(s) under test: webmin default install of package [root@localhost wilcal]# urpmi webmin Package webmin-1.620-3.mga3.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed install package from updates_testing restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.680-1.mga3.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK
In VirtualBox, M4, KDE, 32-bit Package(s) under test: webmin default install of package [root@localhost wilcal]# urpmi webmin Package webmin-1.660-2.mga4.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed install package from updates_testing restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.680-1.mga4.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: webmin default install of package [root@localhost wilcal]# urpmi webmin Package webmin-1.660-2.mga4.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed install package from updates_testing restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.680-1.mga4.noarch is already installed Webmin opens at Port:10000. Data can be viewed, configurations can be changed Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver VirtualBox 4.3.6-1.mga4.x86_64.rpm
Whiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
CC: (none) => remiWhiteboard: MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory
Update pushed: http://advisories.mageia.org/MGASA-2014-0132.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/590906/