Date: Sun, 18 Aug 2019 23:24:00 +0000 (UTC) From: Jimmy Olgeni <olgeni@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r509245 - head/security/vuxml Message-ID: <201908182324.x7INO0kd027375@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: olgeni Date: Sun Aug 18 23:24:00 2019 New Revision: 509245 URL: https://svnweb.freebsd.org/changeset/ports/509245 Log: security/vuxml: add vuxml entry for webmin and usermin (CVE-2019-15107). Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Sun Aug 18 23:00:46 2019 (r509244) +++ head/security/vuxml/vuln.xml Sun Aug 18 23:24:00 2019 (r509245) @@ -58,6 +58,56 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="ece65d3b-c20c-11e9-8af4-bcaec55be5e5"> + <topic>webmin -- unauthenticated remote code execution</topic> + <affects> + <package> + <name>webmin</name> + <range><lt>1.930</lt></range> + </package> + <package> + <name>usermin</name> + <range><lt>1.780</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Joe Cooper reports:</p> + <blockquote cite="https://virtualmin.com/node/66890">; + <p>I've rolled out Webmin version 1.930 and Usermin version 1.780 + for all repositories. This release includes several security + fixes, including one potentially serious one caused by malicious + code inserted into Webmin and Usermin at some point on our build + infrastructure. We're still investigating how and when, but the + exploitable code has never existed in our github repositories, so + we've rebuilt from git source on new infrastructure (and checked + to be sure the result does not contain the malicious code).</p> + + <p>I don't have a changelog for these releases yet, but I wanted + to announce them immediately due to the severity of this issue. + To exploit the malicious code, your Webmin installation must have + Webmin -> Webmin Configuration -> Authentication -> Password + expiry policy set to Prompt users with expired passwords to enter + a new one. This option is not set by default, but if it is set, + it allows remote code execution.</p> + + <p>This release addresses CVE-2019-15107, which was disclosed + earlier today. It also addresses a handful of XSS issues that we + were notified about, and a bounty was awarded to the researcher + (a different one) who found them.</p> + </blockquote> + </body> + </description> + <references> + <url>https://virtualmin.com/node/66890</url>; + <cvename>CVE-2019-15107</cvename> + </references> + <dates> + <discovery>2019-08-17</discovery> + <entry>2019-08-17</entry> + </dates> + </vuln> + <vuln vid="3b2ee737-c12d-11e9-aabc-0800274e5f20"> <topic>gitea -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201908182324.x7INO0kd027375>