Procmail-wrapper security update

Joe · January 29, 2022, 10:48pm

Howdy all,

We’ve rolled out a new version of the procmail-wrapper package for all platforms due to a privilege escalation bug, where any authenticated shell user could provide their own environment to procmail via the wrapper, which allowed executing code as root. This package is used in the default mail configuration for all Virtualmin versions on all platforms.

Please upgrade immediately to version 1.1 (there are a couple of extra 1.1 releases in the Debian/Ubuntu repos, due to some 32 vs 64 bit compatibility issues in my initial couple of builds, so there’s a 1.1-3 version there, which is the one you want).

This update is especially important if you host any untrusted users on your Virtualmin systems, but even if you don’t, a privilege escalation bug is still high risk; it can make a user-level exploit, such as a buggy web application, much more dangerous.

Thanks to John Lightsey for responsibly reporting this bug and following up with confirmation of the fix.

Cheers,
Joe

wheeler · February 1, 2022, 10:14am

I’m currently running Virtualmin 6.17 on CentOS 7 with auto update - is there anything needed to do to upgrade procmail-wrapper specifically, or do I just need to make sure everything is up to date via yum?

Installed Packages
Name : procmail-wrapper
Arch : x86_64
Version : 1.1
Release : 1.vm
Size : 8.5 k
Repo : installed
From repo : virtualmin

Looks OK to me?

Whoops · February 1, 2022, 10:45am

Yep, thats how it works

Joe · February 1, 2022, 4:36pm

We distribute all software via the native package manager of your OS. So, RPM/yum (or dnf) on CentOS/RHEL and dpkg/apt on Debian/Ubuntu. Updating is the same as updating your OS.

system · February 11, 2022, 4:37pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.