svn commit: r509245 - head/security/vuxml
Jimmy Olgeni
olgeni at FreeBSD.org
Sun Aug 18 23:24:01 UTC 2019
Author: olgeni
Date: Sun Aug 18 23:24:00 2019
New Revision: 509245
URL: https://svnweb.freebsd.org/changeset/ports/509245
Log:
security/vuxml: add vuxml entry for webmin and usermin (CVE-2019-15107).
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Aug 18 23:00:46 2019 (r509244)
+++ head/security/vuxml/vuln.xml Sun Aug 18 23:24:00 2019 (r509245)
@@ -58,6 +58,56 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="ece65d3b-c20c-11e9-8af4-bcaec55be5e5">
+ <topic>webmin -- unauthenticated remote code execution</topic>
+ <affects>
+ <package>
+ <name>webmin</name>
+ <range><lt>1.930</lt></range>
+ </package>
+ <package>
+ <name>usermin</name>
+ <range><lt>1.780</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Joe Cooper reports:</p>
+ <blockquote cite="https://virtualmin.com/node/66890">
+ <p>I've rolled out Webmin version 1.930 and Usermin version 1.780
+ for all repositories. This release includes several security
+ fixes, including one potentially serious one caused by malicious
+ code inserted into Webmin and Usermin at some point on our build
+ infrastructure. We're still investigating how and when, but the
+ exploitable code has never existed in our github repositories, so
+ we've rebuilt from git source on new infrastructure (and checked
+ to be sure the result does not contain the malicious code).</p>
+
+ <p>I don't have a changelog for these releases yet, but I wanted
+ to announce them immediately due to the severity of this issue.
+ To exploit the malicious code, your Webmin installation must have
+ Webmin -> Webmin Configuration -> Authentication -> Password
+ expiry policy set to Prompt users with expired passwords to enter
+ a new one. This option is not set by default, but if it is set,
+ it allows remote code execution.</p>
+
+ <p>This release addresses CVE-2019-15107, which was disclosed
+ earlier today. It also addresses a handful of XSS issues that we
+ were notified about, and a bounty was awarded to the researcher
+ (a different one) who found them.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <url>https://virtualmin.com/node/66890</url>
+ <cvename>CVE-2019-15107</cvename>
+ </references>
+ <dates>
+ <discovery>2019-08-17</discovery>
+ <entry>2019-08-17</entry>
+ </dates>
+ </vuln>
+
<vuln vid="3b2ee737-c12d-11e9-aabc-0800274e5f20">
<topic>gitea -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-head
mailing list