Created attachment 326414 [details] The new webmin-1.600.ebuild There is a new upstream version of Webmin - 1.600. The version fixes multiple vulnerabilities (see http://www.kb.cert.org/vuls/id/788478) and introduces some new features and translations. For a full Changelog see http://www.webmin.com/changes.html The new ebuild adds a forced net-dns/dnssec-tools dependency for security and Gentoo compliance installation reasons. Nothing in the setup/install script/procedure has been changed. NOTES: 1. The new upstream 1.600 version closes the CVE-2012-2981, CVE-2012-2982 and CVE-2012-2983 vulnerabilities. So probably all Webmin versions prior to 1.600 should be removed from Gentoo tree. 2. The reported CVE-2012-4893 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4893) is not an actual vulnerability but a Webmin feature. The install procedure of Webmin (incl. the one used by the ebuild/s) by default forces the option "referers_none=1" in /etc/webmin/config , which doesn't allow any cross-site request forgery (CSRF) exploits without the user being informed and without his explicit consent to allow it.
+*webmin-1.600 (14 Oct 2012) + + 14 Oct 2012; Markos Chandras <hwoarang@gentoo.org> +webmin-1.600.ebuild: + Version bump. Thanks to PhobosK <phobosk@fastmail.fm>. Bug #438182 +
