These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for Webmin version 1.800 released on the new forum.
Web Hosting and Cloud Computing Control Panels
Just upgraded and now getting
HTTP/1.0 500 Perl execution failed Server: MiniServ/1.800 Date: Thu, 26 May 2016 06:32:39 GMT Content-type: text/html; Charset=iso-8859-1 Connection: close Error - Perl execution failed
Can't locate auto/Net/SSLeay/set_tlsext_.al in @INC (@INC contains:
CentOS 6.7 Latest Virtualmin/Webmin and Authentic Theme
set_tlsext_host_name
COMPATIBILITY: not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.8f
updated Net::SSLeay using: cpan > install Net::SSLeay
restarted webmin and all ok again
Same error here after update of server to WebMin1.80 (Ubuntu Server 12.04 with latest Virtualmin/Webmin and Authentic Theme). Issue not gone away after reboot - initial log-in shows "wait" animation continuously. On coming back to the status (home) screen am seeing the same error message as described by CollinSchwagele.
I'm not using Authentic theme and only tried it before on this particular server but didn't like it so not sure if this is related but now after updating I'm getting spammed with these emails now:
Can't locate auto/Net/SSLeay/set_tlsext_.al in @INC (@INC contains: /usr/libexec/webmin /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . ..) at ../web-lib-funcs.pl line 7350 ...propagated at http-monitor.pl line 67.
When I go into Webmin into Perl Modules and try to install Net::SSLeay via Cpan it seems like it tries to install the yum package which is apparently already installed.
Howdy,
There's a report about that issue here:
https://www.virtualmin.com/node/40869
For anyone seeing this issue, and also comfortable with a text editor, could you try this patch here and let us know if this helps:
https://github.com/webmin/webmin/commit/a53b6d96ca61600f84ce83f89fbd389a...
We'll likely be pushing out a new Webmin release here soon with that fix.
-Eric
Thank you =)
It worked as expected (like a charm).
Thank U, guys,
--
Gaetano Dentamaro
President, CEO WOW SpA - http://wow.pe/
+39 340-2417.728 Skype: bittertooth
=========================================================
That government is best which governs least.
Henry David Thoreau
We got hacked though webmin because we were not alerted of the latest security issue.
Please explain what was exactly fixed and how the security issue was exploited. Full disclosure please.
Sorry you got bit by this one. It caught us by surprise, as well; and it is the worst vulnerability to ship in a Webmin package in many years. Luckily, it only effected a couple of devel releases; unfortunately, we'd uncharacteristically rolled those releases into the Virtualmin repos because of unrelated changes.
We did everything we could to resolve it quickly and to let everyone know they needed to update; Jamie bought satellite Internet while flying over the Atlantic in order to be able to roll it out. We posted to every communication method we could think of for notifying folks of updates (Twitter @virtualmin, IRC #virtualmin, here in the news forum, the Webmin mailing list, and on a post on Low End Talk that was discussing the issue). And, of course, it would have shown up in your available updates within Virtualmin. From the time I learned of the issue to it rolling into the repositories was around three hours (much of that was figuring out how to reach Jamie to get a new Webmin rolled).
So, it's earlier than I wanted to discuss the details of the problem; but we always try to practice responsible disclosure in a timely manner. We'll post a proper security notice about it soon, but I guess folks who are paying attention have already updated, and people who aren't paying attention are already in trouble.
In short: Authentic theme, as included in two Webmin devel releases (1.794 and 1.795) failed to properly sanitize user input, allowing arbitrary code execution on unauthenticated requests. There was a recently added feature in the theme (specifically a login notifications feature); it was added since we last audited Authentic Theme for security. It did not ship with any Webmin stable release, but because it happened to coincide with several updates for Let's Encrypt support and Ubuntu 16.04 bug fixes. we had rolled these devel versions into the Virtualmin repos. The feature in question accept user-provided data for inclusion in the email notification, which allowed code execution through use of shell backticks.
Our resolution has been to remove that feature entirely from the theme (it belongs in the User module, anyway). We are also in the midst of a more thorough code review of Authentic Theme.
--
Check out the forum guidelines!
Thank you for the clarifications Joe.
From what you explain and what I could observe, I see several issues that helped this disaster.
All these issues were avoidable. The first 2 can happen in any dev process. The last one is a pure mess.
You have several forums, one on virtualmin.com, one on webmin using source forge forums (any other?). Several mailing lists, one on source forge (the update was not posted there!!!), one on webmin itself (other one?). Its a MESS!!!
Please bring some coherence to your communication channels to avoid future issues?
I have been a happy user and customer of Webmin, Cloudmin and Virtualmin for now almost 10 years and that won't change, but we need absolutely avoid future fatal incidents like that one.
Best regards.
I'm not sure I understand what you're asking for with regard to 3? We posted to every communication channel we have. This included a mailing list, a forum, IRC, and twitter; you'd only need to follow one of them. What else should we do?
--
Check out the forum guidelines!
To what mailing list did you post? I see this one https://sourceforge.net/p/webadmin/mailman/webadmin-announce/ but the announcement is not there, however the mailing list is active. Latest post is 2016-03-13 00:17:29 Webmin 1.790 released
There is http://webmail.webmin.com/ mailing list (link from http://www.webmin.com/community.html), but have no idea what is the required login and how to obtain it.
Then there are the forums, https://sourceforge.net/p/webadmin/discussion/ linked by http://www.webmin.com/community.html) and virtualmin forms (here).
Thats what I call mess. Which one to use for what? Which mailing list is the actual mailing list, which forum is the actual forum?
You're right, I should have also posted to the webmin-announce list. I'd forgotten it existed (Jamie usually does the announcements, but he was on a plane with very high latency network). I rarely post to any of the Webmin mailing lists these days (I'm kept too busy with Virtualmin stuff), so I am kinda out of the loop on those. That was a mistake on my part. We're working on making the Webmin release process accessible to people other than Jamie. Because of the circumstances of Jamie not having good connectivity, and more of the release process being left to me, things were weird this time around.
As for the sourceforge forum, I think that one probably needs to die. Nobody pays close attention to it, at all, and I'd also forgotten it existed (we were feeling pretty distressed). I'm not sure what we'd want to replace it with. I think I only look at that one maybe a couple times a year.
So, in short:
Where are you seeing a link to webmail.webmin.com? That's Jamie's Usermin install. Nobody has access to that except Jamie and his family. It's definitely not a way to get news about Webmin. ;-)
Anyway, we're in the middle of another audit and code review of Authentic theme, and we've been in the midst of an overhaul of Webmin (with some attention focused on security safeguards). Webmin has a pretty good security record (not flawless, but not bad for something so large and such a ripe target for abuse), but this was a rough wake up call about how themes interact with Webmin. It shouldn't be so easy for a simple coding error in a theme to poke a giant hole in Webmin itself. People making themes are more often designers first and coders second, and that can be a recipe for disaster in an administrative tool.
--
Check out the forum guidelines!
As I said I am happy webmin/cloudmin/virtualmin users. Jamie has always been very quick to respond and fix bugs and his dedication is unquestionable and its part of Webmin quality.
However, Its very hard to have single person responsible for such important project, especially when so many people/companies depend from it. What if he is not here. He has the right to be on vacation, he can be sick or even worst...
Single incidents like that can undermine very much the credibility and confidence of your users/customers. Especially when the response to such an incident was unprepared and sorry to insist, pretty much amateurish.
I am sure you will put in place whatever is needed to fix it, especially to clarify and unify your communication channels.
About the forums, why just not use these forums?
For the "private" mailing list its linked several times here: http://www.webmin.com/community.html whenever mailing list is mentioned.
I would suggest even better - post it on your blog (with rss function) - that way would be great, fast and accurate. I mean guys you have a blog but you not really using it. It would be really useful to point whats include new update and why everyone should update. As it would be outside of forums it wouldnt make it mess in forums..rss users would be notified asap as you publish it.. easy..
Configuring/troubleshooting Debian servers is always great fun