I’ve rolled out Webmin version 1.930 and Usermin version 1.780 for all repositories. This release includes several security fixes, including one potentially serious one caused by malicious code inserted into Webmin and Usermin at some point on our build infrastructure. We’re still investigating how and when, but the exploitable code has never existed in our github repositories, so we’ve rebuilt from git source on new infrastructure (and checked to be sure the result does not contain the malicious code).
I don’t have a changelog for these releases yet, but I wanted to announce them immediately due to the severity of this issue. To exploit the malicious code, your Webmin installation must have Webmin -> Webmin Configuration -> Authentication -> Password expiry policy set to Prompt users with expired passwords to enter a new one. This option is not set by default, but if it is set, it allows remote code execution.
This release addresses CVE-2019-15107, which was disclosed earlier today. We received no advance notification of it, which is unusual and unethical on the part of the researcher who discovered it. But, in such cases there’s nothing we can do but fix it ASAP.
It also addresses a handful of XSS issues that we were notified about, and a bounty was awarded to the researcher (a different one) who found them. (So, if you’re a security researcher and responsibly disclose your findings, feel free to hit us up with anything you find. We pay.)
Anyway, we’re all a little grumpy, as we needed to drop everything and sort out what happened, figure out how to fix it, and get new releases rolled out immediately. But, the packages in our repos fix it, and also include theme updates and some other new stuff (changelog coming soon). But, you definitely need to update if you use that feature. As far as we know the malicious code is not exploitable if you aren’t using that option, but there are some unrelated XSS issues in Authentic theme that are also fixed, so no reason not to upgrade right away, even if the more serious one doesn’t effect you.