Howdy all,
As mentioned in http://www.virtualmin.com/node/10412 Filip Palian brought a symlink-related security issue in Virtualmin to our attention, and Jamie has rewritten all similar file actions in all Virtualmin plugins to operate as the virtual server owner to make this type of attack impossible. The following module/versions include those changes, and these modules should be upgraded immediately:
- virtualmin-htpasswd/2.1
- virtualmin-google-analytics/2.4
- virtualmin-svn/4.4
- virtualmin-dav/3.1
- virtualmin-mailman/5.6
- virtualmin-mailrelay/1.5
- virtualmin-awstats/4.2
The Virtualmin themes (virtual-server-theme and virtual-server mobile) have also been updated with new versions, though these are not security releases.
Please let us know if you run into any problems by filing a ticket in the issue tracker.