Webmin is voulnerable to remote code execution in versions from 1.882 to 1.921, due to an intrusion in the developers previous build server. Details are in a recent article in TheRegister[1] According to the article, if webmin is configured with -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one, the system is voulnerable to remote code execution. The bug is fixed in version 1.930, which also fixes an XSS bug How you should test this I have no idea. [1] https://www.theregister.co.uk/2019/08/19/webmin_project_zero_day_patch/
Add CVE reference
QA Contact: (none) => securityComponent: RPM Packages => SecurityCVE: (none) => CVE-2019-15107
Webmin has no registered maintainer, so assigning globally, CC'ing DavidW.
Assignee: bugsquad => pkg-bugsCC: (none) => luigiwalser
Advisory: ======================== Updated webmin package fixes security vulnerability: Webmin before 1.930 allows remote exploits if the option to change expired passwords is enabled (CVE-2019-15107). Note that it is only vulnerable if changing of expired passwords is enabled, which is not the case by default. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15107 http://www.webmin.com/security.html http://www.webmin.com/changes.html ======================== Updated packages in core/updates_testing: ======================== webmin-1.930-1.mga7 from webmin-1.930-1.mga7.src.rpm
Summary: CVE-2019-15107: Webmin 1.882 to 1.921 have command injection vulnerability in certain configuration setups => webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107)Assignee: pkg-bugs => qa-bugs
In VirtualBox, M7, Plasma, 64-bit Package(s) under test: webmin default install of package [root@localhost wilcal]# uname -a Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi webmin Package webmin-1.910-1.mga7.noarch is already installed Webmin works install webmin from updates_testing [root@localhost wilcal]# uname -a Linux localhost 5.2.7-desktop-1.mga7 #1 SMP Wed Aug 7 10:32:19 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux [root@localhost wilcal]# urpmi webmin Package webmin-1.930-1.mga7.noarch is already installed Webmin works fine This is a noarch package so 32-bit testing is not necessary
CC: (none) => wilcal.int
Whiteboard: (none) => MGA7-64-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0237.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
This update also fixed an apparently related issue, CVE-2019-15231: http://www.webmin.com/security.html
Summary: webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107) => webmin 1.882 to 1.921 new command injection vulnerability (CVE-2019-15107, CVE-2019-15231)