Bug 239957

Summary: sysutils/usermin: needs to be updated to 1.780 for security
Product: Ports & Packages Reporter: Delta Regeer <xistence>
Component: Individual Port(s)Assignee: Jimmy Olgeni <olgeni>
Status: Closed FIXED    
Severity: Affects Only Me CC: emaste, xistence
Priority: --- Flags: bugzilla: maintainer-feedback? (olgeni)
Version: Latest   
Hardware: Any   
OS: Any   
Bug Depends on: 239956    
Bug Blocks:    

Description Delta Regeer 2019-08-18 22:18:19 UTC 
As pointed out on Reddit, usermin is currently vulnerable to a backdoor:

https://www.reddit.com/r/BSD/comments/cs637w/freebsd_backdoored_sysutilswebmin_and/
Comment 1 commit-hook freebsd_committer freebsd_triage 2019-08-18 23:01:11 UTC 
A commit references this bug:

Author: olgeni
Date: Sun Aug 18 23:00:47 UTC 2019
New revision: 509244
URL: https://svnweb.freebsd.org/changeset/ports/509244

Log:
  Update sysutils/usermin to version 1.780.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239957
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

Changes:
  head/sysutils/usermin/Makefile
  head/sysutils/usermin/distinfo
  head/sysutils/usermin/pkg-plist
Comment 2 Jimmy Olgeni freebsd_committer freebsd_triage 2019-08-18 23:30:18 UTC 
Pending MFH to 2019Q3.
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-08-20 10:46:23 UTC 
A commit references this bug:

Author: olgeni
Date: Tue Aug 20 10:46:01 UTC 2019
New revision: 509417
URL: https://svnweb.freebsd.org/changeset/ports/509417

Log:
  MFH: r509243 r509244

  Update sysutils/webmin to version 1.930.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239956
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

  Update sysutils/usermin to version 1.780.

  PR:           239957

  Approved by:  ports-secteam (joneum)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/sysutils/usermin/Makefile
  branches/2019Q3/sysutils/usermin/distinfo
  branches/2019Q3/sysutils/usermin/pkg-plist
  branches/2019Q3/sysutils/webmin/Makefile
  branches/2019Q3/sysutils/webmin/distinfo
  branches/2019Q3/sysutils/webmin/pkg-plist