There are two security vulnerabilities for webmin 1.55 as shipped by Mageia http://www.kb.cert.org/vuls/id/788478 http://www.webmin.com/security.html Webmin 1.600 is available with these bugs fixed, Because of Bug 3444 webmin does not work "out of the box" with Mageia. It would be nice if 3444 could be fixed at the same time as a security update. (The fix is real easy)
Whiteboard: (none) => MGA1TOO, 3alpha2
This package is unmaintained. If you're interested, perhaps you could take it?
CC: (none) => luigiwalserVersion: 2 => CauldronWhiteboard: MGA1TOO, 3alpha2 => MGA2TOO, MGA1TOO, 3alpha2
Sure, I can probably handle a few other unmaintained packages too. How do I go about getting commit rights?
Great. You just need to be mentored by one of the existing packagers. We have an IRC channel #mageia-mentoring on freenode that you can get help in, and you can also announce on the mageia-dev mailing list that you're interested. See these wiki pages for the most pertinent information: https://wiki.mageia.org/en/Becoming_a_Mageia_Packager https://wiki.mageia.org/en/Packagers_Howto_start
More references for security issues in Webmin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 http://www.securelist.com/en/advisories/50512 http://secunia.com/advisories/51201/ http://www.webmin.com/security.html http://www.webmin.com/updates.html
Whiteboard: MGA2TOO, MGA1TOO, 3alpha2 => MGA2TOO, MGA1TOO
Blocks: (none) => 3444
Updated packages uploaded for Mageia 2 and Cauldron. The update has also been checked into Mageia 1 SVN. Note to QA: I don't see a need to rush to validate this, as this package has been unmaintained and broken since being imported into Mageia, and there are a lot of changes here. The main purpose of this update is to fix it so that it's actually functional, and the security issues are (IMO) secondary. Please test thoroughly, and any other problems we find can also be fixed for Cauldron. See Bug 3444 for a discussion of many of the issues that have been fixed. Advisory: ======================== Updated webmin package fixes security vulnerabilities: Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact Webmin versions prior to 1.610 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, SA51201). Additionally, several issues with Webmin module configurations and its usage of urpmi for installing and upgrading packages have been fixed. Modules that are not relevant to Mageia systems have been removed. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 http://www.securelist.com/en/advisories/50512 http://secunia.com/advisories/51201/ http://www.webmin.com/security.html http://www.webmin.com/updates.html https://bugs.mageia.org/show_bug.cgi?id=3444 ======================== Updated packages in core/updates_testing: ======================== webmin-1.610-1.mga2 from webmin-1.610-1.mga2.src.rpm
Assignee: bugsquad => qa-bugsVersion: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => (none)
I used webmin to install openvpn ... Installing package(s) with command urpmi --force --auto openvpn .. My understanding is that the use of --force, is a really bad idea. WDYT?
CC: (none) => davidwhodgins
It sounds bad Dave, it's misleading really. Taken from the urpmi man page.. --force Assume yes on all questions.
Yep, as Claire said, webmin can't handle urpmi being interactive, --force prevents that.
Thanks. I had the --force option confused with the --allow-force option.
Just tested in MGA2 x86_64, no errors so far. There are 78 modules activated and all start w/o problems.
CC: (none) => alfred.kretschmer
As per https://forums.mageia.org/en/viewtopic.php?f=7&t=4023&sid=bbe1908c9750c2b1217e62455e0f59a1&p=28890#p28890 Webmin does not work out of the box under Mageia 2 3.3.8-desktop586-2.mga2 (for example, crontab module does not work) and upgrading it to the more current version does not resolve the issue. Details are in the forum post linked above. Summary: I shutdown the Webmin service, enabled the Core/Updates_testing repository, uninstalled Webmin, installed from the repo and disabled the repo. This resolved the issue.
CC: (none) => mark9117
So the version in updates_testing does resolve your issue Mark? Your first sentence said it didn't. Even from reading the forum thread it's not clear if you're reporting that there are still issues or not. PS - the systemctl errors in the forum thread you linked I believe would be solved by running "systemctl daemon-reload" first.
Sorry to seem incoherent. Reporting bugs is not something I do. The Powers That Be at Mageia forums suggested I contribute here, and so here I am. To be clear, the version installed from updates_testing DOES resolve the issue. The version that installed with the OS is broken. That version is, I believe, 1.5.x. This is not the most current version and updating to ver. 1.6.x via the link in Webmin does not resolve the issue. And thank you for clarifying that info about systemctl.
systemctl issue fixed (it needed to call _post_service in %post). Updating advisory. Advisory: ======================== Updated webmin package fixes security vulnerabilities: Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact Webmin versions prior to 1.610 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, SA51201). Additionally, several issues with Webmin module configurations and its usage of urpmi for installing and upgrading packages have been fixed. Modules that are not relevant to Mageia systems have been removed. When installed under systemd, the webmin service should now be immediately usable. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 http://www.securelist.com/en/advisories/50512 http://secunia.com/advisories/51201/ http://www.webmin.com/security.html http://www.webmin.com/updates.html https://bugs.mageia.org/show_bug.cgi?id=3444 ======================== Updated packages in core/updates_testing: ======================== webmin-1.610-1.1.mga2 from webmin-1.610-1.1.mga2.src.rpm
Source RPM: (none) => webmin
I have created a new, updated 32-bit Mageia 2 install. I then installed webmin 1.550 successfully. I then enabled updates_testing and then executed an update to webmin 1.610. That was successful. I don't think there's a 64-bit version of webmin.
CC: (none) => wilcal.int
I've updated this again to 1.620, to fix a couple more security issues. Advisory: ======================== Updated webmin package fixes security vulnerabilities: Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact Webmin versions prior to 1.620 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, SA51201). Additionally, several issues with Webmin module configurations and its usage of urpmi for installing and upgrading packages have been fixed. Modules that are not relevant to Mageia systems have been removed. When installed under systemd, the webmin service should now be immediately usable. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 http://www.securelist.com/en/advisories/50512 http://secunia.com/advisories/51201/ http://www.webmin.com/security.html http://www.webmin.com/updates.html https://bugs.mageia.org/show_bug.cgi?id=3444 ======================== Updated packages in core/updates_testing: ======================== webmin-1.620-1.mga2 from webmin-1.620-1.mga2.src.rpm
Testing mga2 32 It recognises Mageia now rather than showing a warning. Installed some updates using webmin. It installs each one separately but completes ok. Tested postgresql module. It's able to initialise the database and start the server ok. Used it in testing postgresql update, bug 8997. I'll check some other modules before completing i586
The file manager module needs icedtea-web but there is no require for it. Do you want to add one?
Sorry, ignore that. Icedtea-web is required in the browser viewing the server, I'm connecting to localhost.
The 'Perl Modules' module which shows installed and recommends to install two which it says are used by webmin. The following Perl modules are recommended for installation by Webmin : Authen::Libwrap (used by webmin configuration) IO::Pty (used by Running Processes)
This and the above modules can be found under 'Others' SA-Configurator module shows.. The configured ShopAdmin installation directory ../DBAdmin does not exist.
Under Networking => ADSL Client There is a preconfigured sympatico.ca username. I suspect that is unintended.
All others seem ok. Use it to install and configure a selection of 'Unused modules'
(In reply to comment #22) > Under Networking => ADSL Client > > There is a preconfigured sympatico.ca username. I suspect that is unintended. I don't see sympatico anywhere in the source tree. Is that maybe your ISP and it's being automatically filled in?
(In reply to comment #21) > This and the above modules can be found under 'Others' > > SA-Configurator module shows.. > > The configured ShopAdmin installation directory ../DBAdmin does not exist. It looks like that'll only work if you have ShopAdmin installed. I have no idea what that is. Probably this thing for shopping carts on websites: http://apsona.com/pages/ec/sa.html A little Googling turns up exploits for ShopAdmin too...nice. Anyway, probably not something to worry about.
(In reply to comment #20) > The 'Perl Modules' module which shows installed and recommends to install two > which it says are used by webmin. > > The following Perl modules are recommended for installation by Webmin : > > Authen::Libwrap (used by webmin configuration) > IO::Pty (used by Running Processes) Does Webmin give you an easy way to install these when it finds such things? Grepping the code shows several perl modules that it can optionally use: Authen::Libwrap Authen::PAM Authen::SASL Authen::SolarisRBAC BER Compress::Zlib Crypt::Eksblowfish::Bcrypt Crypt::UnixCrypt DBD::mysql DBD::Pg DBI Digest::MD5 Digest::SHA1 Filesys::Virtual::Plain GD HTTP::Headers HTTP::Request IO::Pty IO::Stty MD5 Module::Build Mon::Client NDBM_File Net::DAV::Server Net::DNS::SEC::Tools::dnssectools Net::FTPSSL Net::IMAP Net::LDAP Net::SNMP Net::SSLeay Net::XWhois posix POSIX SDBM_File SNMP_Session Socket6 Sys::Hostname Sys::Syslog Time::HiRes User::Utmp Win32::Daemon XML::Generator XML::Parser and probably some others (sometimes there's perl variables in the names that would get substituted in at runtime, not immediately clear what their values would be).
(In reply to comment #24) > (In reply to comment #22) > > Under Networking => ADSL Client > > > > There is a preconfigured sympatico.ca username. I suspect that is unintended. > > I don't see sympatico anywhere in the source tree. Is that maybe your ISP and > it's being automatically filled in? Not my ISP, no. It could be some example data but then you'd think it would be in the code somewhere. No idea where it's come from.
How to cross reference perl modules to packages https://wiki.mageia.org/en/QA_Tips_and_Tricks#Perl_Modules
(In reply to comment #26) > (In reply to comment #20) > > The 'Perl Modules' module which shows installed and recommends to install two > > which it says are used by webmin. > > > > The following Perl modules are recommended for installation by Webmin : > > > > Authen::Libwrap (used by webmin configuration) > > IO::Pty (used by Running Processes) > > Does Webmin give you an easy way to install these when it finds such things? It does, but it downloads them from cpan rather than installing our own packages. It does have an extra step between downloading them and installing, to confirm the installation. Module names IO::Tty 1.10 Authen::Libwrap 0.22 Source http://www.cpan.org/authors/id/T/TO/TODDR/IO-Tty-1.10.tar.gz http://www.cpan.org/authors/id/D/DM/DMUEY/Authen-Libwrap-0.22.tar.gz Pre-requisites Test::More (All installed) Is it worth adding suggests?
Whiteboard: (none) => feedback
Assigning David until this is ready Please reassign to QA when you've had a chance to take a look Thanks!
CC: (none) => qa-bugsAssignee: qa-bugs => luigiwalserWhiteboard: feedback => (none)
OK, after looking more closely at the code, I agree that IO::Tty and Authen::Libwrap should be required, but we don't have Authen::Libwrap packaged. Jerome, would you mind importing perl-Authen-Libwrap to Mageia 2 and Cauldron? I've added the require for IO::Tty in SVN, as well as fixing the config file used in the syslog configuration and the OS version detection.
CC: (none) => jquelin
Jerome, just FYI, Sandro volunteered to package Authen::Libwrap on Monday if you don't get to it by then. Thanks.
CC: (none) => cazzaniga.sandro
If jerome can do it faster than me, there's no problem. As I said, I'm encountering some difficulties.
Created attachment 3785 [details] Perl Authen::Libwrap SRPM
I've attached my SRPM of Authen::Libwrap. As I said to jérôme on IRC, the only problem is that you have to hit enter to let the package build, and I'm affraid that it could block the build when we push it.
Oh, I can automate it! Thanks Luigi, I commit it! I let you do the work on webmin.
Thanks Sandro. Freeze pushes have been requested for Cauldron. Now we just need someone to tell us how to import Authen::Libwrap to mga2 :o)
It's in core/updates_testing in mageia 2, I just asked for a new push for cauldron.
OK it's imported, but it (perl-Authen-Libwrap) needs to be deleted from Mageia 2 updates_testing so that it can be resubmitted with the proper release tag (1). Sysadmins, please remove it.
no need to, I synced the release number.
(In reply to Sandro Cazzaniga from comment #40) > no need to, I synced the release number. Just to be clear, this still needs removed from mga2/updates_testing. The release tags have been reset to 1 in SVN. Thanks.
OK, perl-Authen-Libwrap has been removed and resubmitted.
OK, fixes pushed to updates_testing. Let's get this released :D Advisory: ======================== Updated webmin package fixes security vulnerabilities: Multiple XSS, CSRF, and arbitrary code execution vulnerabilities that impact Webmin versions prior to 1.620 (CVE-2012-2981, CVE-2012-2982, CVE-2012-2983, CVE-2012-4893, SA51201). Additionally, several issues with Webmin module configurations and its usage of urpmi for installing and upgrading packages have been fixed. Modules that are not relevant to Mageia systems have been removed. When installed under systemd, the webmin service should now be immediately usable. The Authen::Libwrap perl module used by Webmin is also being provided. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2981 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2982 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2983 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4893 http://www.securelist.com/en/advisories/50512 http://secunia.com/advisories/51201/ http://www.webmin.com/security.html http://www.webmin.com/updates.html https://bugs.mageia.org/show_bug.cgi?id=3444 ======================== Updated packages in core/updates_testing: ======================== perl-Authen-Libwrap-0.220.0-1.mga2 webmin-1.620-1.1.mga2 from SRPMS: perl-Authen-Libwrap-0.220.0-1.mga2.src.rpm webmin-1.620-1.1.mga2.src.rpm
CC: qa-bugs => (none)Assignee: luigiwalser => qa-bugs
Testing complete mga2 32 Confirmed the added requires. Until bug 2317 is fully tested (tainted/nonfree asap) and urpmi/perl-URPM update (bug 9737) pushed we should still add links. Perl Modules => Suggested modules, now only shows DBD::mysql which it says is used by 'mysql database server' module but the mysql module seems to work well enough without it. The following packages will require linking: perl-Authen-SASL-2.150.0-3.mga1 (Core Release) perl-Convert-ASN1-0.220.0-2.mga1 (Core Release) perl-Digest-HMAC-1.30.0-2.mga2 (Core Release) perl-Digest-SHA1-2.130.0-6.mga2 (Core Release) perl-IO-Tty-1.100.0-4.mga2 (Core Release) perl-ldap-0.400.100-4.mga2 (Core Release)
Depends on: (none) => 2317Whiteboard: (none) => mga2-32-ok
Testing mga2 64
Testing complete mga2 64 Validating Advisory and SRPM's in comment 43 The following packages will require linking for bug 2317: perl-Authen-SASL-2.150.0-3.mga1 (Core Release) perl-Convert-ASN1-0.220.0-2.mga1 (Core Release) perl-Digest-HMAC-1.30.0-2.mga2 (Core Release) perl-Digest-SHA1-2.130.0-6.mga2 (Core Release) perl-IO-Tty-1.100.0-4.mga2 (Core Release) perl-ldap-0.400.100-4.mga2 (Core Release) Could sysadmin please push from core/updates_testing to core/updates and make the links please. Thanks!
Keywords: (none) => validated_updateWhiteboard: mga2-32-ok => mga2-32-ok mga2-64-okCC: (none) => sysadmin-bugs
Packages linked and update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0125
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED