Bug 30116 - webmin new security issues CVE-2022-0824 and CVE-2022-0829
Summary: webmin new security issues CVE-2022-0824 and CVE-2022-0829
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-03-04 19:13 CET by David Walser
Modified: 2022-03-08 00:11 CET (History)
4 users (show)

See Also:
Source RPM: webmin-1.979-1.1.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2022-03-04 19:13:45 CET 
Webmin 1.990 has been released on March 3, fixing two security issues:
https://www.webmin.com/security.html
https://www.webmin.com/changes.html

Advisory:
========================

Updated webmin package fixes security vulnerabilities:

Less privileged Webmin users who do not have any File Manager module
restrictions configured can access files with root privileges, if using the
default Authentic theme (CVE-2022-0824, CVE-2022-0829).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0824
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0829
https://www.webmin.com/security.html
https://www.webmin.com/changes.html
========================

Updated package in core/updates_testing:
========================
webmin-1.990-1.mga8

from webmin-1.990-1.mga8.src.rpm
Comment 1 Herman Viaene 2022-03-05 20:19:54 CET 
MGA8-64 Plasma on Lenovo B50 in Dutch
No installattion issues.
Checked that webmin was running after installation:
# systemctl -l status webmin
● webmin.service - LSB: Webmin is a remote administration tool using web-browser
     Loaded: loaded (/etc/rc.d/init.d/webmin; generated)
     Active: active (running) since Sat 2022-03-05 19:58:33 CET; 3min 29s ago
       Docs: man:systemd-sysv-generator(8)
   Main PID: 5643 (miniserv.pl)
      Tasks: 1 (limit: 9397)
     Memory: 26.3M
        CPU: 3.643s
     CGroup: /system.slice/webmin.service
             └─5643 /usr/bin/perl /usr/share/webmin/miniserv.pl /etc/webmin/miniserv.conf

mrt 05 19:58:30 mach5.hviaene.thuis systemd[1]: Starting LSB: Webmin is a remote administration tool using web-browser...
mrt 05 19:58:30 mach5.hviaene.thuis webmin[5633]: Starting Webmin
mrt 05 19:58:30 mach5.hviaene.thuis webmin[5639]: Starting Webmin server in /usr/share/webmin
mrt 05 19:58:31 mach5.hviaene.thuis perl[5639]: pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=  user=root
mrt 05 19:58:33 mach5.hviaene.thuis webmin[5639]: Webmin starting
mrt 05 19:58:33 mach5.hviaene.thuis systemd[1]: Started LSB: Webmin is a remote administration tool using web-browser.
mrt 05 19:58:39 mach5.hviaene.thuis systemd[1]: /run/systemd/generator.late/webmin.service:22: PIDFile= references a path below legacy directory /var/run/, updating /var/run/webmin/miniserv.pid → /run/webmin/mini>

Pointed browser to https://localhost:10000/
and opened different modules in the sections System (running processes), Servers (Apache (stopped and started it),Maria DB (opened one and checked presence of tables), Samba), Tools (System and Server status), Networking (Firewall), Hardware (Partitions on local disk, Printer administration).
All opened OK with sensible info.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => herman.viaene

Comment 2 Thomas Andrews 2022-03-06 21:41:22 CET 
Validating. Advisory in Comment 0.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2022-03-07 20:58:43 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 3 Mageia Robot 2022-03-08 00:11:22 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0090.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.