Upgrading Webmin to 1.894 installs Authentic Theme 19.20 beta2

pixel_paul's picture
Submitted by pixel_paul on Fri, 10/19/2018 - 05:20 Pro Licensee

I assume that this is incorrect.

Thanks,

Paul

Status: 
Active

Comments

Submitted by andreychek on Fri, 10/19/2018 - 09:02

I've asked Joe for some input on this one.

pixel_paul's picture
Submitted by pixel_paul on Fri, 10/19/2018 - 17:24 Pro Licensee

Yes, especially after looking through the commits.....this should not have been released.

Joe's picture
Submitted by Joe on Fri, 10/19/2018 - 18:49 Pro Licensee

Can you be more specific? I don't know of any showstopper bugs in this version versus earlier versions. There's an "XSS" commit, but it's not exploitable in any reasonable manner (it requires control of the client browser to force referer spoofing, or convincing a user to copy/paste a specially crafted URL rather than clicking it, so there's not a realistic exploit of it).

We'll be doing a new stable Webmin in a few days with 19.20 stable, which fixes a few other Authentic bugs. But, if there's something specific that's a major problem, let me know and I'll accelerate that plan or do another devel release.

pixel_paul's picture
Submitted by pixel_paul on Sat, 10/20/2018 - 01:13 Pro Licensee

Ok, but I don't understand why a beta release is being released on a stable channel. When I tested beta 2 I found there were bugs, so I figured I'd wait until a final release, however I inadvertently released this on a production server (and one which usermin is used frequently on). Surely when I set a flag saying "Stable releases" only that should be adhered to.

Joe's picture
Submitted by Joe on Tue, 10/23/2018 - 00:14 Pro Licensee

Ah, sorry. I thought there were fewer bugs in 19.20beta2 than in the previous stable release. Sometimes we roll "beta" releases because they fix bugs that are impacting users, and that's what happened here (though we probably should have talked it over with Ilia longer and gotten a newer version there). We had a pretty big backlog of "fixed, but not packaged" bugs, and wanted to get them out so users weren't waiting for them until the next big release.

But, Ilia has just implemented a process for marking releases as "ready" for inclusion in a Webmin package, so we'll be a bit more cautious about rolling forward to new Authentic versions.

What specific bugs are affecting you? I want to make sure we get them resolved in the next Webmin package.

pixel_paul's picture
Submitted by pixel_paul on Tue, 10/23/2018 - 03:48 Pro Licensee

From what I understand, 19.20 brings in the changes to Usermin, which are quite significant. From a deployment perspective, I'd rather only release a final when it is bundled with Webmin - the fast release cycle of Authentic has caught us out before and it has made me very cautious.

The likelihood is that the bugs I found (and didn't report as I was only intending to view the new Usermin changes) are fixed. One that does come to mind was that the file manager was broken.

I can, if I have a moment, run through the current beta release and do some further testing.

Thanks,

Paul