Arbitrary remote file access Effects Webmin versions below 1.290, and Usermin versions below 1.220, on any operating system. An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin. Credit: Kenny Chen
Jeremy please provide updated ebuilds.
*** Bug 138815 has been marked as a duplicate of this bug. ***
Created attachment 90678 [details] webmin-1.290.ebuild webmin-1.290.ebuild (Just renamed from 1.280)
*** Bug 140118 has been marked as a duplicate of this bug. ***
the ebuild going to get commited to portage?
Maintainer mia: [15:52] <jaervosz> !seen eradicator [15:52] <glbt> eradicator (n=Jeremy@gentoo/developer/eradicator) was last seen quitting from #gentoo-commits 45 days, 4 hours, 44 minutes ago stating (Remote closed the connection). Security patchers could you try a bump or should we ask for a new maintainer on -dev?
Being that eradicator is MIA again. Stuart said he would look into this when he gets home from work today.
Okay, webmin-1.290 is in the tree. It installs, but I've done no testing to be sure that webmin itself works (it's not a package I know well, or use myself). Best regards, Stu
Thx Stuart, According to upstream we also need usermin 1.220.
Woops removing arches from CC. Sorry for the spam.
(In reply to comment #8) > Okay, webmin-1.290 is in the tree. It installs, but I've done no testing to be > sure that webmin itself works (it's not a package I know well, or use myself). Stuart, you forgot to stick pam flag into IUSE... ;)
Hmm? Which USE Flag do you mean? What is this USE Flag doing?
Hi, usermin is now bumped (thanks Sune), and the PAM USE flag is back in IUSE (thanks Jakob). The only testing I've done is to ensure that it installs. Best regards, Stu
Thx Stuart. Arhces please test and mark stable.
ppc stable
Stable on x86
Stable on SPARC. Just a note that at least SPARC was auto-stablized on the usermin bump. Other arches may have been as well (not sure).
stable on hppa
webmin and usermin marked stable on alpha.
ppc64 stable
never click on the wrong place...
Missing amd64 keyword on webmin
working fine on amd64... emerge --info Portage 2.1-r1 (default-linux/amd64/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.17-suspend2-r3-Dudebox-Edition x86_64) ================================================================= System uname: 2.6.17-suspend2-r3-Dudebox-Edition x86_64 AMD Athlon(tm) 64 Processor 3200+ Gentoo Base System version 1.6.15 ccache version 2.3 [enabled] app-admin/eselect-compiler: [Not Present] dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.3 dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox" GENTOO_MIRRORS="ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp:///ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/" LINGUAS="de" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://server/gentoo-portage" USE="amd64 X alsa arts avi berkdb bitmap-fonts cli crypt cups dlloader dri eds emboss encode foomaticdb fortran gif gnome gpm gstreamer gtk gtk2 imlib ipv6 isdnlog jpeg kde kdeenablefinal lzw lzw-tiff mp3 mpeg ncurses nls nptl opengl pam pcre pdflib perl png pppd python qt qt3 qt4 quicktime readline reflection sdl session spell spl ssl tcpd tiff truetype-fonts type1-fonts unicode usb userlocales xorg xpm xv zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_de userland_GNU video_cards_dummy" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
amd64 stable.
This one is ready for GLSA decision.
I vote yes for unlimited file disclosure.
i vote a week yes. But running a webmin on the internet-side is always unsecure and i hope it's rare.
Thinkng of half-trusted LANs, another yes.
Ok, lets have a GLSA.
GLSA 200608-11 arm, s390 don't forget to mark stable to benifit from the GLSA.