Bug 20085 - webmin new security issue fixed upstream in 1.801
Summary: webmin new security issue fixed upstream in 1.801
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://lwn.net/Vulnerabilities/711587/
Whiteboard: MGA5-32-OK advisory MGA5-64-OK
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2017-01-08 02:29 CET by David Walser
Modified: 2017-01-15 00:05 CET (History)
3 users (show)

See Also:
Source RPM: webmin-1.760-1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-01-08 02:29:57 CET
The webmin site says that a security issue in the Authentic theme was fixed in 1.801 (and possibly 1.810):
http://www.webmin.com/
http://www.webmin.com/changes.html

Update to 1.831 checked into Mageia 5 SVN (pending freeze push in Cauldron).
Comment 1 David Walser 2017-01-08 16:03:08 CET
Advisory:
========================

Updated webmin package fixes security vulnerability:

The webmin package has been updated to version 1.831, fixing possible security
issues in the Authentic theme (fixed in 1.801 and/or 1.810), and containing
several other bug fixes and enhancements.  See the upstream release
announcements and change log for details.

References:
http://www.webmin.com/
http://www.webmin.com/changes.html
========================

Updated packages in core/updates_testing:
========================
webmin-1.831-1.mga5

from webmin-1.831-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 Herman Viaene 2017-01-10 11:58:17 CET
MGA5-32 on AcerD620 Xfce
No installation issues
A CLI I got
$ webmin 
Starting webmin (via systemctl):                                                                    [  OK  ]
Installation problem. Please reinstall.

Started webmin from https://localhost:10000/ and could login . Used it to look at System modules, mysql and apache server. All looks well.

Whiteboard: (none) => MGA5-32-OK
CC: (none) => herman.viaene

Lewis Smith 2017-01-11 10:19:16 CET

CC: (none) => lewyssmith
Whiteboard: MGA5-32-OK => MGA5-32-OK advisory

Comment 3 Lewis Smith 2017-01-11 11:57:18 CET
Testing Mageia 5 x64

BEFORE the update: webmin-1.760-1.mga5
 # webmin
 Starting webmin (via systemctl):                              [ OK ]
 Launching `/usr/bin/www-browser' with param `https://localhost:10000/'

was not immediately successful. It launched Firefox which complained on several fronts: first that it had not been used for some time - untrue! - and wanting to refresh itself; mystery. Then "Your connection is not safe" "The owner of localhost has configured its website incorrectly. To prevent your details from being stolen, Firefox has not connected to the website".
'Advanced' shows:
"localhost:10000 uses an invalid security certificate.
The certificate is not trusted because it is self-signed. The certificate is only valid for *
Error code: SEC_ERROR_UNKNOWN_ISSUER"

With trepidation for the future, hoping it will not have wider implications, I permitted this exception (as invited to), and ended up with the Webmin login screen. What to enter? Normal user/PW failed, 'root'/PW worked. The entry screen showed "Webmin version 1.831 is now available, but you are running version 1.760." and looked complete. Logged out, closed Firefox.

AFTER update: webmin-1.831-1.mga5
 https://localhost:10000/
immediately showed the login screen. Logged in as root, added a new user to see & do everything, used that to look around. Impressive application!

Update OK, validating, advisoried already.

Keywords: (none) => validated_update
Whiteboard: MGA5-32-OK advisory => MGA5-32-OK advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2017-01-13 11:33:08 CET
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0017.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

David Walser 2017-01-15 00:05:08 CET

URL: (none) => https://lwn.net/Vulnerabilities/711587/


Note You need to log in before you can comment on or make changes to this bug.