Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 623948 (CVE-2017-15644, CVE-2017-15645, CVE-2017-15646, CVE-2017-2106, CVE-2017-9313) - <app-admin/webmin-1.881: Multiple vulnerabilities
Summary: <app-admin/webmin-1.881: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15644, CVE-2017-15645, CVE-2017-15646, CVE-2017-2106, CVE-2017-9313
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Low trivial with 1 vote (vote)
Assignee: Gentoo Security
URL: http://www.webmin.com/changes.html
Whiteboard: ~4 [noglsa cve]
Keywords:
Depends on: 600422 640420
Blocks:
  Show dependency tree
 
Reported: 2017-07-06 02:27 UTC by D'juan McDonald (domhnall)
Modified: 2018-10-31 00:18 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description D'juan McDonald (domhnall) 2017-07-06 02:27:43 UTC 
From $URL

Multiple Cross-site scripting (XSS) vulnerabilities in Webmin before 1.850 allow remote attackers to inject arbitrary web script or HTML via the sec parameter to view_man.cgi, the referers parameter to change_referers.cgi, or the name parameter to save_user.cgi. NOTE: these issues were not fixed in 1.840.

URL: https://nvd.nist.gov/vuln/detail/CVE-2017-9313

Reproducible: Always
Comment 1 D'juan McDonald (domhnall) 2017-08-04 01:25:36 UTC 
@maintainer(s): 

Upstream Patch:
https://github.com/webmin/webmin/commit/c2d4a90639afb2403979aa91ba75cb332ae16d1b
Comment 2 D'juan McDonald (domhnall) 2017-08-22 14:21:28 UTC 
jcameron committed Jun 12, 2017

Upstream Patch 1/2:
https://github.com/webmin/webmin/commit/c2d4a90639afb2403979aa91ba75cb332ae16d1b

Upstream Patch 2/2:
https://github.com/webmin/webmin/commit/a330e913ee099cb9c586ce1b9267647fc566c1ab

@maintainer(s), please test and follow procedure to close on report, thank you.

Daj'Uan (mbailey_j)
Gentoo Security Scout
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-24 20:07:19 UTC 
Adding CVEs:

CVE-2017-2106
CVE-2017-15646
CVE-2017-15645
CVE-2017-15644

Affected versions all prior 1.830
Comment 4 D'juan McDonald (domhnall) 2018-10-15 11:36:34 UTC 
@security

The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=37700521dc61e1ca761f09d49def71eeafa0fb77

commit 37700521dc61e1ca761f09d49def71eeafa0fb77
Author:     Pacho Ramos <pacho@gentoo.org>
AuthorDate: 2018-10-14 12:24:17 +0000
Commit:     Pacho Ramos <pacho@gentoo.org>
CommitDate: 2018-10-14 13:02:22 +0000

    app-admin/webmin: Version bump (#600422 by PhobosK)
    
    Closes: https://bugs.gentoo.org/600422
    Closes: https://bugs.gentoo.org/596618
    Signed-off-by: Pacho Ramos <pacho@gentoo.org>
    Package-Manager: Portage-2.3.51, Repoman-2.3.11

 app-admin/webmin/Manifest            |   2 +
 app-admin/webmin/files/gentoo-setup  | 438 +++++++++++++++++++++++++++++++++++
 app-admin/webmin/webmin-1.881.ebuild | 314 +++++++++++++++++++++++++
 3 files changed, 754 insertions(+)




---
Keywords for app-admin/webmin:
      |                           a     |       |  
      |                           m     |       |  
      |                           d   x |       |  
      |                           6   8 |       |  
      |                           4   6 |   u   |  
      | a a   a     p           s |   | |   n   |  
      | l m   r i   p   h m s   p f m f | e u s | r
      | p d a m a p c x p 6 3   a b i b | a s l | e
      | h 6 r 6 6 p 6 8 p 8 9 s r s p s | p e o | p
      | a 4 m 4 4 c 4 6 a k 0 h c d s d | i d t | o
------+---------------------------------+-------+-------
1.881 | o ~ o o o o o ~ o o o o o o o o | 6 o 0 | gentoo

---
Vulnerable version dropped, please proceed.

Gentoo Security Padawan
(domhnall)
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2018-10-31 00:18:24 UTC 
All done, repository is clean.