The release announcement and changelog for webmin 1.730 and usermin/usermin-webmail 1.640 have these statements, respectively: "This update includes security fixes to produce against malicious links in the Read Mail module" "All operations on user mailboxes are now performed with the permissions of the user, to prevent attacks using malicious symlinks." Updates are committed to Mageia 4 and Cauldron SVN. Freeze push requested for Cauldron. Reproducible: Steps to Reproduce:
References: http://www.webmin.com/ http://www.webmin.com/changes.html
Summary: webmin, usermin, usermin-webmail => webmin, usermin, usermin-webmail new security issue fixed upstream
Updated packages uploaded for Mageia 4 and Cauldron. Advisory: ======================== Updated webmin, usermin, usermin-webmail packages fix security vulnerability: The webmin package has been updated to version 1.730, and the usermin and usermin-webmail packages have been updated to version 1.640, to fix possible security issues that could be caused by malicious symlinks when reading mail. The updated versions also have various bug fixes, translation updates, and functionality improvements. See the upstream release announcements and change log for more information. References: http://www.webmin.com/ http://www.webmin.com/changes.html ======================== Updated packages in core/updates_testing: ======================== webmin-1.730-1.mga4 usermin-1.640-1.mga4 usermin-webmail-1.640-1.mga4 from SRPMS: webmin-1.730-1.mga4.src.rpm usermin-1.640-1.mga4.src.rpm usermin-webmail-1.640-1.mga4.src.rpm
Assignee: bugsquad => qa-bugs
Tested on mga4 32bit Notes for those testing: webmin url https://localhost:10000 Both usermin and usermin-webmail can be found at https://localhost:20000 To manage usermin you can use webmin and refresh the modules. Webmin -> Usermin Configuration Not used usermin or usermin-webmail before but they seem mutually exclusive. webmin upgraded without error. Poked around and didn't see any issues. This package seems ok. usermin only worked when usermin-1.500-4.mga4 was installed first and then upgraded to 1.640-1. When installing usermin, either version, without a previous version being installed, it was unusable as /etc/usermin/ only had a single file, uninstall.sh. If you upgrade it usermin it installed properly and worked. usermin-webmail worked on first install however after testing usermin further usermin-webmail now throws an error when accessing :20000 "quota::list_system_info failed : Undefined subroutine "a::user_filesystems called at /usr/share/usermin/quota/system_info.pl line 11. " Maybe I am testing usermin and usermin-webmail incorrectly here but they both seem to be giving me issues.
CC: (none) => dpremy
Blocks: (none) => 14951
Thanks David. There is some strange stuff in the post scriplets of the usermin and usermin-webmail packages and my immediate impression is that these packages need some work. They have been unmaintained since they were initially imported into Mageia, and this is the first attempt to update them. I have dropped them from Cauldron and moved them to Bug 14951 for this update. This bug is now only for webmin. Advisory: ======================== Updated webmin package fixes security vulnerability: The webmin package has been updated to version 1.730 to fix possible security issues that could be caused by malicious symlinks when reading mail. The updated version also has various bug fixes, translation updates, and functionality improvements. See the upstream release announcements and change log for more information. References: http://www.webmin.com/ http://www.webmin.com/changes.html ======================== Updated packages in core/updates_testing: ======================== webmin-1.730-1.mga4 from SRPMS: webmin-1.730-1.mga4.src.rpm
Summary: webmin, usermin, usermin-webmail new security issue fixed upstream => webmin new security issue fixed upstream in 1.730Source RPM: webmin, usermin, usermin-webmail => webmin
Tested on MGA4 32 and 64, now that usermin and usermin-webmail are removed I'll mark this ok, but I have two notes below. I've noticed that the new theme, "Gray Framed Theme", has two issues that I don't see in the webmin big list yet. Both a superficial, but I've noticed it on mga4 32 and 64. First the menu icons are green until clicked, then move to the gray variant they should be. In the source of the pages all images load with images/closed.gif. After being clicked toggleview() uses images/gray-closed.gif. The second is that in the theme list the "Gray Framed Theme" is listed twice. I think these are upstream issues so I am going to mark this ok unless someone else feels this shouldn't be pushed. All other features I've looked at are all functional as expected.
Whiteboard: (none) => mga4-32-ok mga4-64-ok
The theme issues aren't surprising, especially the being listed twice, since the blue theme was removed but is actually still there, but it's really just a copy of the gray theme, so it's called blue_theme but the text for it all says Gray. Anyway, if the issues aren't serious, it's OK to OK it, but it would be worth reporting the issues upstream.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.690-1.mga4.noarch is already installed https://localhost:10000/ opens and works Hardware -> Partitions on Local Disks works Servers -> Apache Webserver works Servers -> ProFTPD works Networking -> Network Configuration -> Network Interfaces works System -> Running Processes works install webmin from updates_testing Stop, then restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed https://localhost:10000/ opens and works Hardware -> Partitions on Local Disks works Servers -> Apache Webserver works Servers -> ProFTPD works Networking -> Network Configuration -> Network Interfaces works System -> Running Processes works Ya, background looks different but if anything it looks better. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.int
In VirtualBox, M4, KDE, 64-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.690-1.mga4.noarch is already installed https://localhost:10000/ opens and works Hardware -> Partitions on Local Disks works Servers -> Apache Webserver works Servers -> ProFTPD works Networking -> Network Configuration -> Network Interfaces works System -> Running Processes works install webmin from updates_testing Stop, then restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed https://localhost:10000/ opens and works Hardware -> Partitions on Local Disks works Servers -> Apache Webserver works Servers -> ProFTPD works Networking -> Network Configuration -> Network Interfaces works System -> Running Processes works Looks good. Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
This update looks fine to me. All my installs include webmin. This is a big and multifaceted package so I'll wait 24-hours to validate it. Unless David Remy feels it's good to go and validates it ASAP. Enjoy.
Validating. Advisory from comment 4 uploaded. Please push to 4 updates Thanks
Whiteboard: mga4-32-ok mga4-64-ok => has_procedure advisory mga4-32-ok mga4-64-okCC: (none) => sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0007.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => http://lwn.net/Vulnerabilities/628704/
CVE request: http://openwall.com/lists/oss-security/2015/01/19/3
CVE-2015-1377 has been assigned: http://openwall.com/lists/oss-security/2015/01/27/16 Updated advisory below. Please update in SVN. Thanks :D Advisory: ======================== Updated webmin package fixes security vulnerability: The webmin package has been updated to version 1.730 to fix possible security issues that could be caused by malicious symlinks when reading mail (CVE-2015-1377). The updated version also has various bug fixes, translation updates, and functionality improvements. See the upstream release announcements and change log for more information. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1377 http://www.webmin.com/ http://www.webmin.com/changes.html http://openwall.com/lists/oss-security/2015/01/27/16
Summary: webmin new security issue fixed upstream in 1.730 => webmin new security issue fixed upstream in 1.730 (CVE-2015-1377)