Webmin versions below 1.930 contain a remotely exploitable security hole

I see this on my VM page:

Webmin versions below 1.930 contain a remotely exploitable security hole and should be upgraded immediately! See http://www.webmin.com/security.html for more details.

Webmin 1.882 to 1.921 - Remote Command Execution (CVE-2019-15231)

There is no update as far as I can see:

Name : webmin Arch : noarch Version : 1.900 Release : 1 Size : 78 M Repo : installed From repo : virtualmin-universal

Status: 
Closed (fixed)

Comments

never mind. Cent 7. try running yum clean all then yum update and see if that helps.

The CentOS 7 repo does contain an up to date Webmin version... for GPL users that repo is visible here:

http://software.virtualmin.com/vm/6/gpl/universal/

If need be, you can always manually download the Webmin package from there.

If that doesn't help -- it doesn't appear you're seeing a bug there, it could be an issue with your repo setup or some other configuration problem. As it appears you're using Virtualmin GPL, you'd want to use the Forums for any additional questions. We monitor the Forums, along with lots of wonderful folks in the community. Thanks!

Licensed version of VM and CentOS 7:

uname -a
Linux x.com 3.10.0-1062.4.3.el7.x86_64 #1 SMP Wed Nov 13 23:58:53 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

This is a licensed version, and I am getting it from virtualmin-universal.

Trying to fix this issue, it may be unrelated.

epel/x86_64/updateinfo         FAILED                                         
http://mirror.math.princeton.edu/pub/epel/7/x86_64/repodata/4a778c08cb747b001e51a919d96e73e0a6435340c78abf0a604c7006a1c94bcf-updateinfo.xml.bz2: [Errno 14] HTTP Error 404 - Not Found:-- ETA
Trying other mirror.

It only does this after a yum clean all

[epel]
name=Extra Packages for Enterprise Linux 7 - $basearch
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7

[epel-debuginfo]
name=Extra Packages for Enterprise Linux 7 - $basearch - Debug
#baseurl=http://download.fedoraproject.org/pub/epel/7/$basearch/debug
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-debug-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

[epel-source]
name=Extra Packages for Enterprise Linux 7 - $basearch - Source
#baseurl=http://download.fedoraproject.org/pub/epel/7/SRPMS
metalink=https://mirrors.fedoraproject.org/metalink?repo=epel-source-7&arch=$basearch&infra=$infra&content=$contentdir
failovermethod=priority
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
gpgcheck=1

I verified my license and password, it has 347 days till it expires.

[virtualmin]
name=RHEL/CentOS/Scientific $releasever - $basearch - Virtualmin
baseurl=http://LICENCE:PASS@software.virtualmin.com/rhel/$releasever/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1
skip_if_unavailable = 1
keepcache = 0

[virtualmin-universal]
name=Virtualmin Distribution Neutral Packages
baseurl=http://LICENCE:PASS@software.virtualmin.com/universal/
enabled=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

For now I did this, but this means I am not getting other updates, so this is not resolved.

wget http://software.virtualmin.com/vm/6/gpl/universal/webmin-1.932-1.noarch.rpm
yum localinstall webmin-1.932-1.noarch.rpm

We let the license go for a while, just updated it a while ago, does this have anything to do with it, do I needs some type of update?

The license says it is valid, if you need the serial number let me know, it is under someone else's name, but I have been taking care of this site with VM for way too many years to think about it, just check when I created the account, I can tell you that the cost of the license is well worth it, I was in the hospital, so I had no choice, I started off with the GPL, I loved it so much I got the license, and after I got back on my feet, and got it updated, I figured things were good, I had no idea I was not getting these updates, I searched the internet for others with this problem, so I do not think it is a bug, but to do with the setting I posted above, I did verify them, but if they are wrong, I need to know how to fix them, I replace LICENCE:PASS, to keep this secret, but it is the same one you sent us, we can do a private PM if you need it, you should have it on record, let me know.

Thanks

You can close this, I looked at web min to see what repos were enabled, and virtualmin-universal (Virtualmin Distribution Neutral Packages) was not, not sure when that happened, my guess is when the license expired, to get rid of the warnings, and I forgot to turn it back on, after that, it picked up other.

I have no idea what repos I should have enabled, these are what I have enabled now:

base (CentOS)
updates (CentOS)
extras (CentOS)
centos-sclo-rh (CentOS)
centos-sclo-sclo (CentOS)
epel (Extra Packages for Enterprise Linux 7)
remi-php56more-epel-7-x86_64 (php56more)
rhscl-rh-php56-epel-7-x86_64 (PHP 5.6)
virtualmin (RHEL/CentOS/Scientific)
virtualmin-universal (Virtualmin Distribution Neutral Packages)

Should I enable any others?

You need to update your license installer to fix this issue, it should have enabled the repos when I installed the new license, it did update them, just not enable them.

Ohh I see, the license is associated with a different account, which would explain it.

It does indeed look like you have the Virtualmin repos enabled now.

Note that we recommend caution when using third party repos such as "remi" repos, as some third party repos can cause problems.

Thanks for explaining how you resolved the issue -- I'll discuss that with Joe and Jamie to get their thoughts on how best to handle it when a repo isn't active and the license is updated.

If there is a better repo for php 5.6 I would use it, till then remi works.

you REALLY should move to php 7.x. yes centos does backport but most apps require 7.x at least.

hole patched