Security, The Webmin team announced today [1] that multiple versions of webmin that were released over the last year had been backdoored due to a compromised development server. Funny enough, our current version might actually be unaffected because it is unmaintained and hasn't been updated at all in a while. In any case, I have masked the package in question for removal. [1] http://www.webmin.com/exploit.html commit 4936c316116136e7d1813bf0aef96010dea3bd66 (HEAD -> master, origin/master, origin/HEAD) Author: Matthias Maier <tamiko@gentoo.org> Date: Thu Aug 22 14:35:09 2019 -0500 profiles/package.mask: mask app-admin/webmin for removal Signed-off-by: Matthias Maier <tamiko@gentoo.org> # Matthias Maier <tamiko@gentoo.org> (2019-08-22) # Masked for removal in 30 days. Unmaintained and upstream has released # backdoored versions for more than a year due to a compromised development # server, http://www.webmin.com/exploit.html app-admin/webmin
Looking at their site, they have released version 1.930, and addressed the issue of the compromised versions. There seems to be enough activity to not count it as unmaintained. If the version is bumped, is there really a reason to mask?
Could you please clarify why you think Gentoo is affected? Looks like we were lucky because package has no maintainer and wasn't updated while upstream was compromised or do I miss something (we are at v1.881 and first known compromised release was 1.890, not?)?
I can take care and maintain webmin & virtualmin. Just opened PR that bumps version to webmin 1.930 with Virtualmin 6.07 support with a lot of effort. But i believe first security team should review my PR. Then i think proxy-maint-devs should review it. https://github.com/gentoo/gentoo/pull/12772 The question is which source is more secure now, their git or webmin & virtualmin servers? Any advice from security team is welcome. Also need advice about old-dated Virtualmin modules. There is no clear information about Virtualmin code affected or not? In short keep them? || remove them? These modules last update times too old (but functional) and maybe they are in the compromised date range. Sources that i used in PR; -------------------------- Webmin -> from -> https://sourceforge.net/projects/webadmin/ Virtualmin -> from -> http://download.webmin.com/download/virtualmin/ Virtualmin Modules -> from -> http://software.virtualmin.com/gpl/wbm/ -------------------------- Virtualmin Modules in PR: ------------------------- virtualmin_awstats -> last updated 2017-09-22 virtualmin_git -> last updated 2018-01-21 virtualmin_mailman -> last updated 2018-04-13 virtualmin_dav -> last updated 2016-02-17 virtualmin_password_recovery -> last updated 2017-05-12 ~Hasan Proxy Maint
> The question is which source is more secure now, their git or webmin & virtualmin servers? Any advice from security team is welcome. Hard to answer: At the moment they use codeload.github.com which is known to produce something similar to `git archive`. Given that according to upstream's analysis only their build server was compromised and that they didn't checkout from VCS all the time and used cached (and compromised) files instead, relying on GitHub seems to be the better choice assuming their GitHub repo won't get compromised. However, once they will upload and attach own archives to releases, this benefit will go away and you must pay attention when bumping because URL will be the same, just the redirect will change.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b64fe9b6ee399c91d6c606d5a86e0f8983336a66 commit b64fe9b6ee399c91d6c606d5a86e0f8983336a66 Author: Michał Górny <mgorny@gentoo.org> AuthorDate: 2019-09-23 07:16:07 +0000 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: 2019-09-23 07:16:48 +0000 app-admin/webmin: Remove last-rited pkg Bug: https://bugs.gentoo.org/692740 Signed-off-by: Michał Górny <mgorny@gentoo.org> app-admin/webmin/Manifest | 2 - app-admin/webmin/files/gentoo-setup | 438 ---------------------------------- app-admin/webmin/files/init.d.webmin | 85 ------- app-admin/webmin/files/webmin.service | 18 -- app-admin/webmin/metadata.xml | 8 - app-admin/webmin/webmin-1.881.ebuild | 314 ------------------------ profiles/package.mask | 6 - 7 files changed, 871 deletions(-)
Closing as invalid because Gentoo was never affected by this vulnerability.
