+++ This bug was initially created as a clone of Bug #14931 +++ The release announcement and changelog for webmin 1.730 and usermin/usermin-webmail 1.640 have these statements, respectively: "This update includes security fixes to produce against malicious links in the Read Mail module" "All operations on user mailboxes are now performed with the permissions of the user, to prevent attacks using malicious symlinks." Updates have been built for Mageia 4. The webmin update was handled in Bug 14931. For usermin and usermin-webmail, issues were found while testing the updates: https://bugs.mageia.org/show_bug.cgi?id=14931#c3 This was the first attempt to update these packages, which have been unmaintained since they were imported into Mageia. They need some more work.
Source RPM: webmin, usermin, usermin-webmail => usermin, usermin-webmail
CVE request: http://openwall.com/lists/oss-security/2015/01/19/3
CVE-2015-1377 has been assigned: http://openwall.com/lists/oss-security/2015/01/27/16
Summary: usermin, usermin-webmail new security issue fixed upstream in 1.640 => usermin, usermin-webmail new security issue fixed upstream in 1.640 (CVE-2015-1377)
The updates_testing builds have been updated to 1.650. usermin-1.650-1.mga4 usermin-webmail-1.650-1.mga4
Tested on mga4 32bit Installed webmin-1.730-1.mga4 and usermin-1.500-4.mga4. Webmin was working on https://localhost:10000/ and usermin was not available on https://localhost:20000/, as expected. Interestingly enough once I upgraded usermin-1.650-1.mga4 this switched, webmin on port 10000 was no longer available and usermin on 20000 was up and running. The install didn't show webmin being removed, however it seems to be. sudo urpmi usermin-1.650-1.mga4 rsync://mirrors.kernel.org/mirrors/mageia/distrib/4/i586/media/core/updates_testing/usermin-1.650-1.mga4.noarch.rpm installing usermin-1.650-1.mga4.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: usermin ############################################# 1/1: removing usermin-1.500-4.mga4.noarch ############################################# However removing usermin and then trying to install webmin, which should have been installed, it reinstalled webmin. urpmi webmin rsync://mirrors.kernel.org/mirrors/mageia/distrib/4/i586/media/core/updates/webmin-1.730-1.mga4.noarch.rpm installing webmin-1.730-1.mga4.noarch.rpm from /var/cache/urpmi/rpms Preparing... ############################################# 1/1: webmin ############################################# webmin.service is not a native service, redirecting to /sbin/chkconfig. Executing /sbin/chkconfig --no-reload --no-redirect webmin on This happened to when installing webmail. webmin was uninstalled and webmail came up on port 20000, but with errors. quota::list_system_info failed : Undefined subroutine "a::user_filesystems called at /usr/share/usermin/quota/system_info.pl line 11.
With only a couple of weeks remaining in Mageia 4's lifetime, we don't have time to fix this and test it. This package has been dropped and no longer exists in Mageia as of Mageia 5. Closing this as OLD.
Resolution: (none) => OLDStatus: NEW => RESOLVED