29137 – webmin new security issue fixed upstream in 1.979

Bug 29137 - webmin new security issue fixed upstream in 1.979

Summary: webmin new security issue fixed upstream in 1.979

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-06-16 01:52 CEST by David Walser
Modified:	2021-07-12 22:27 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	webmin-1.970-1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-06-16 01:52:33 CEST

Webmin 1.979 has been released on June 13 (and announced today):
https://www.webmin.com/changes.html

It fixes a security issue in the network configuration module.

Mageia 7 is also affected.

David Walser 2021-06-16 01:52:41 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 Lewis Smith 2021-06-17 21:15:47 CEST

We already have in Cauldron versions 1.972, 3, 4
and just, enigmatically: Mon Jun 14 version 0.979 - typo in SVN?

Assigning this to Stig who did them all.

Assignee: bugsquad => smelror

Comment 2 David Walser 2021-06-22 00:55:07 CEST

Advisory:
========================

Updated webmin package fixes security vulnerability:

The webmin package has been updated to version 1.979, which has fixes for
handling un-trusted inputs in the Network Configuration module.

Also, the openvpn module has been updated to version 3.2.

References:
https://www.webmin.com/changes.html
https://www.openit.it/index.php/en/downloads?task=viewcategory&catid=7
========================

Updated packages in core/updates_testing:
========================
webmin-1.979-1.mga7
webmin-1.979-1.mga8

from SRPMS:
webmin-1.979-1.mga7.src.rpm
webmin-1.979-1.mga8.src.rpm

Assignee: smelror => qa-bugs

Comment 3 Dave Hodgins 2021-06-22 03:16:47 CEST

file /usr/share/webmin/blue-theme from install of webmin-1.979-1.mga7.noarch conflicts with file from package webmin-1.960-1.mga7.noarch

CC: (none) => davidwhodgins

Comment 4 Dave Hodgins 2021-06-22 03:34:19 CEST

The update is replacing a directory with a symlink.

https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replace=
ment/#_scriptlet_to_replace_a_directory

Reassigning back to security team.

Assignee: qa-bugs => security

Comment 5 Dave Hodgins 2021-06-22 03:42:53 CEST

Sorry for the url wrap
https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/#_scriptlet_to_replace_a_directory

Comment 6 David Walser 2021-06-22 04:37:43 CEST

Technically the security team and packaging team are separate, so you shouldn't assign bugs to it.  Thanks for checking, and I'll fix it later.

Assignee: security => luigiwalser

Comment 7 David Walser 2021-06-24 00:55:44 CEST

Should be fixed in webmin-1.979-1.1

Assignee: luigiwalser => qa-bugs

Comment 8 Herman Viaene 2021-06-26 14:05:25 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
Checked different modules, no obvious problems.

CC: (none) => herman.viaene
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK

Comment 9 Herman Viaene 2021-07-12 13:49:04 CEST

MGA-64 Plasma on Lenovo B50
No installation issues.
Checked different modules, no obvious problems.

Whiteboard: MGA7TOO MGA7-64-OK => MGA7TOO MGA7-64-OK MGA8-64-OK

Comment 10 Thomas Andrews 2021-07-12 15:11:45 CEST

Validating. Advisory in Comment 2, except for the revised srpm in Comment 7.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 11 Aurelien Oudelet 2021-07-12 20:56:59 CEST

type: security
subject: Updated webmin package fixes security vulnerability
src:
  7:
   core:
     - webmin-1.979-1.1.mga7
  8:
   core:
     - webmin-1.979-1.1.mga8
description: |
  The webmin package has been updated to version 1.979, which has fixes for
  handling un-trusted inputs in the Network Configuration module.
  
  Also, the openvpn module has been updated to version 3.2.
references:
 - https://bugs.mageia.org/show_bug.cgi?id=29137
 - https://www.webmin.com/changes.html
 - https://www.openit.it/index.php/en/downloads?task=viewcategory&catid=7

Keywords: (none) => advisory
CC: (none) => ouaurelien

Comment 12 Mageia Robot 2021-07-12 22:27:52 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0344.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.