239956 – sysutils/webmin: needs updating to 1.930 for security

Bug 239956 - sysutils/webmin: needs updating to 1.930 for security

Summary: sysutils/webmin: needs updating to 1.930 for security

Status:	Closed FIXED

Alias:	None

Product:	Ports & Packages
Classification:	Unclassified
Component:	Individual Port(s) (show other bugs)
Version:	Latest
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	Jimmy Olgeni

URL:
Keywords:

Depends on:
Blocks:	239957
	Show dependency tree / graph

Reported:	2019-08-18 22:17 UTC by Delta Regeer
Modified:	2019-08-20 10:52 UTC (History)
CC List:	1 user (show)

See Also:

Flags:	bugzilla: maintainer-feedback? (olgeni)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Delta Regeer 2019-08-18 22:17:09 UTC

As pointed out here, webmin is currently vulnerable to a backdoor:

https://www.reddit.com/r/BSD/comments/cs637w/freebsd_backdoored_sysutilswebmin_and/

Comment 1 commit-hook freebsd_committer

2019-08-18 22:54:10 UTC

A commit references this bug:

Author: olgeni
Date: Sun Aug 18 22:53:13 UTC 2019
New revision: 509243
URL: https://svnweb.freebsd.org/changeset/ports/509243

Log:
  Update sysutils/webmin to version 1.930.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239956
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

Changes:
  head/sysutils/webmin/Makefile
  head/sysutils/webmin/distinfo
  head/sysutils/webmin/pkg-plist

Comment 2 Jimmy Olgeni freebsd_committer

2019-08-18 23:30:07 UTC

Pending MFH to 2019Q3.

Comment 3 commit-hook freebsd_committer

2019-08-20 10:46:22 UTC

A commit references this bug:

Author: olgeni
Date: Tue Aug 20 10:46:01 UTC 2019
New revision: 509417
URL: https://svnweb.freebsd.org/changeset/ports/509417

Log:
  MFH: r509243 r509244

  Update sysutils/webmin to version 1.930.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239956
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

  Update sysutils/usermin to version 1.780.

  PR:           239957

  Approved by:  ports-secteam (joneum)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/sysutils/usermin/Makefile
  branches/2019Q3/sysutils/usermin/distinfo
  branches/2019Q3/sysutils/usermin/pkg-plist
  branches/2019Q3/sysutils/webmin/Makefile
  branches/2019Q3/sysutils/webmin/distinfo
  branches/2019Q3/sysutils/webmin/pkg-plist