Webmin 1.760 has been released today (June 21). The changelog is here: https://github.com/webmin/webmin/commit/41b8d4da9a0874a2d764957ac92146273058515f The security issue, referred to by this comment: "Fixed an XSS bug that allowed xmlrpc.cgi to be abused by a malicious link." was fixed in this commit: https://github.com/webmin/webmin/commit/caea0eee60b70aebc0e3dba11480296f81d99b20 Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA4TOO
This has been listed on upstream's security page with a CVE: http://www.webmin.com/security.html Updated packages uploaded for Mageia 4, Mageia 5, and Cauldron. Advisory: ======================== Updated webmin package fixes security vulnerability: A malicious website could create links or Javascript referencing the xmlrpc.cgi script, triggered when a user logged into Webmin visits the attacking site (CVE-2015-1990). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1990 http://www.webmin.com/changes.html http://www.webmin.com/security.html ======================== Updated packages in core/updates_testing: ======================== webmin-1.760-1.mga4 webmin-1.760-1.mga5 from SRPMS: webmin-1.760-1.mga4.src.rpm webmin-1.760-1.mga5.src.rpm
Assignee: bugsquad => qa-bugsSummary: webmin new XSS security issue in xmlrpc.cgi fixed upstream in 1.760 => webmin new XSS security issue in xmlrpc.cgi fixed upstream in 1.760 (CVE-2015-1990)
In VirtualBox, M4, KDE, 32-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.140:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.140:10000/
CC: (none) => wilcal.intWhiteboard: MGA4TOO => MGA4TOO MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.142:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga4.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.142:10000/
In VirtualBox, M5, KDE, 32-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-2.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.143:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.143:10000/
Whiteboard: MGA4TOO MGA4-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK
In VirtualBox, M5, KDE, 64-bit Package(s) under test: webmin default install of webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.730-2.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.141:10000/ install webmin from updates_testing stop and restart webmin [root@localhost wilcal]# urpmi webmin Package webmin-1.760-1.mga5.noarch is already installed webmin is accessible at: https://localhost:10000/ I can view the Hardware -> Partitions on Local Disks I can view Servers -> Apache/ProFTPD/SSH I can access webmin and do the same from another M5 system on the LAN at: https://192.168.1.141:10000/
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK => MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
This update works fine. Testing complete for MGA4 & MGA5, 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA4TOO MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK => MGA4TOO has_procedure advisory MGA4-32-OK MGA4-64-OK MGA5-32-OK MGA5-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0344.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/656990/