Bug 239957 - sysutils/usermin: needs to be updated to 1.780 for security
Summary: sysutils/usermin: needs to be updated to 1.780 for security
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: Jimmy Olgeni
URL:
Keywords:
Depends on: 239956
Blocks:
  Show dependency treegraph
 
Reported: 2019-08-18 22:18 UTC by Delta Regeer
Modified: 2019-08-20 10:52 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (olgeni)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Delta Regeer 2019-08-18 22:18:19 UTC 
As pointed out on Reddit, usermin is currently vulnerable to a backdoor:

https://www.reddit.com/r/BSD/comments/cs637w/freebsd_backdoored_sysutilswebmin_and/
Comment 1 commit-hook freebsd_committer freebsd_triage 2019-08-18 23:01:11 UTC 
A commit references this bug:

Author: olgeni
Date: Sun Aug 18 23:00:47 UTC 2019
New revision: 509244
URL: https://svnweb.freebsd.org/changeset/ports/509244

Log:
  Update sysutils/usermin to version 1.780.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239957
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

Changes:
  head/sysutils/usermin/Makefile
  head/sysutils/usermin/distinfo
  head/sysutils/usermin/pkg-plist
Comment 2 Jimmy Olgeni freebsd_committer freebsd_triage 2019-08-18 23:30:18 UTC 
Pending MFH to 2019Q3.
Comment 3 commit-hook freebsd_committer freebsd_triage 2019-08-20 10:46:23 UTC 
A commit references this bug:

Author: olgeni
Date: Tue Aug 20 10:46:01 UTC 2019
New revision: 509417
URL: https://svnweb.freebsd.org/changeset/ports/509417

Log:
  MFH: r509243 r509244

  Update sysutils/webmin to version 1.930.

  Contains fix for CVE-2019-15107.

  From https://virtualmin.com/node/66890:

    To exploit the malicious code, your Webmin installation must have Webmin ->
    Webmin Configuration -> Authentication -> Password expiry policy set to
    Prompt users with expired passwords to enter a new one. This option is not
    set by default, but if it is set, it allows remote code execution.

  PR:           239956
  Submitted by: Bert JW Regeer <xistence@0x58.com>
  Security:     CVE-2019-15107

  Update sysutils/usermin to version 1.780.

  PR:           239957

  Approved by:  ports-secteam (joneum)

Changes:
_U  branches/2019Q3/
  branches/2019Q3/sysutils/usermin/Makefile
  branches/2019Q3/sysutils/usermin/distinfo
  branches/2019Q3/sysutils/usermin/pkg-plist
  branches/2019Q3/sysutils/webmin/Makefile
  branches/2019Q3/sysutils/webmin/distinfo
  branches/2019Q3/sysutils/webmin/pkg-plist