FreshPorts - VuXML
This page displays vulnerability information about FreeBSD Ports.
The last vuln.xml file processed by FreshPorts is:
nothing found there
List all Vulnerabilities, by package
List all Vulnerabilities, by date
These are the vulnerabilities relating to the commit you have selected:
|227475c2-09cb-11db-9156-000e0c2e438a||webmin, usermin -- arbitrary file disclosure vulnerability|
The webmin development team reports:
An attacker without a login to Webmin can read the
contents of any file on the server using a specially
crafted URL. All users should upgrade to version
1.290 as soon as possible, or setup IP access control
|ece65d3b-c20c-11e9-8af4-bcaec55be5e5||webmin -- unauthenticated remote code execution|
Joe Cooper reports:
I've rolled out Webmin version 1.930 and Usermin version 1.780
for all repositories. This release includes several security
fixes, including one potentially serious one caused by malicious
code inserted into Webmin and Usermin at some point on our build
infrastructure. We're still investigating how and when, but the
exploitable code has never existed in our github repositories, so
we've rebuilt from git source on new infrastructure (and checked
to be sure the result does not contain the malicious code).
I don't have a changelog for these releases yet, but I wanted
to announce them immediately due to the severity of this issue.
To exploit the malicious code, your Webmin installation must have
Webmin -> Webmin Configuration -> Authentication -> Password
expiry policy set to Prompt users with expired passwords to enter
a new one. This option is not set by default, but if it is set,
it allows remote code execution.
This release addresses CVE-2019-15107, which was disclosed
earlier today. It also addresses a handful of XSS issues that we
were notified about, and a bounty was awarded to the researcher
(a different one) who found them.