Created attachment 338134 [details, diff] webmin-1.620.ebuild There is a new upstream version of Webmin - 1.620 with a lot of bugfixes and important security updates one of which is: "Fixed an XSS attack in miniserv error messages, and added an option to disable SSL compression to defeat the BEAST attack." So here are the 1.620 ebuild changes: 1. In order to tighten the security of Webmin on Gentoo I had forcibly disabled SSL compression for new installs and for already existing ones that doesn't have any "no_sslcompression" option state. 2. Since this new option ("no_sslcompression") in /etc/miniserv.conf is not recognized at all in the old Webmin versions and they do not have any problem with it, I have put that forcibly in the "gentoo-setup" script, so it is changed too. 3. The addition of the install mode/type in the "install-type" file which is needed when an upgrade of Webmin is done from within the application. We should have in mind that the upgrade process from within Webmin is still buggy in Gentoo, but I am working with the upstream author to fix this issue. Since the above changes are needed in the older ebuilds (that are in the portage tree) too, I am uploading new revisions of them also, so I do not open separate bugs for all of them. Actually you may delete all old revisions of Webmin in portage since as you know every minor upstream release is actually a bugfix release, and since we have in portage 1.600 and 1.610 the latest 1.620 fixes any previous bugs. Thanks.
Created attachment 338136 [details, diff] gentoo-setup Minor edits in the setup script so BEAST attacks are mitigated
Created attachment 338138 [details, diff] webmin-1.600-r2.ebuild The webmin-1.600-r2.ebuild with a small install-type fix. This is if you decide to keep the Webmin 1.600 in portage
Created attachment 338140 [details, diff] webmin-1.610-r1.ebuild A minor fix for the install-type. This is if you decide to keep the Webmin 1.610 in portage.
You confused me a little bit. You said that "2. Since this new option ("no_sslcompression") in /etc/miniserv.conf is not recognized at all in the old Webmin versions and they do not have any problem with it, I have put that forcibly in the "gentoo-setup" script, so it is changed too." and then "Since the above changes are needed in the older ebuilds (that are in the portage tree) too, I am uploading new revisions of them also, so I do not open separate bugs for all of them." I am fine with deleting all the webmin ebuilds but 1.620 by the way.
Well sorry my fault for the misconfusion... Actually only change 3 is needed in the older ebuilds. I just wanted to say that 1 and 2 do not mess up with the older versions, so the gentoo-setup script changes are totally сафе :)
Sorry for the last word in Cyrillic... Bad keyboard ;) === Cyrillic fix === Well sorry my fault for the confusion... Actually only change 3 is needed in the older ebuilds. I just wanted to say that 1 and 2 do not mess up with the older versions, so the gentoo-setup script changes are totally safe for the old ebuilds/versions of the app :)
+*webmin-1.620 (06 Feb 2013) + + 06 Feb 2013; Markos Chandras <hwoarang@gentoo.org> +webmin-1.620.ebuild, + -files/webmin-1.600-SA51201.patch, -webmin-1.600-r1.ebuild, + -webmin-1.610.ebuild, files/gentoo-setup: + Version bump. Drop old ebuilds. Bug #455898. Thanks to PhobosK + <phobosk@fastmail.fm> +
