Security warning: roundcube 0.1

17 posts / 0 new
Last post
#1 Mon, 02/23/2009 - 13:03
tbirnseth

Security warning: roundcube 0.1

The "current" version listed in Virtualmin for the Roundcube mail reader is not really current (0.1). There is an update (0.2-stable-dep) which addresses a security hole in 0.1 which enabled an attack by a flooding hacker.

I have upgraded to the 'unsupported version' for roundcube listed above. Previously, I had two attacks which caused my ISP to shutdown my bandwidth until addressed. Since upgrade last week, I've had no further problems.

If you use roundcube, I would strongly suggest the upgrade. Especially if you use roundcube from within an application. Hopefully the version will be updated in a newer version of Virtualmin.

Mon, 02/23/2009 - 13:05
andreychek

It sounds like you might be using an older version of Virtualmin, as the current version natively supports version 0.2 of RoundCube.
-Eric

Mon, 02/23/2009 - 13:21 (Reply to #2)
tbirnseth

Hi Eric,

Here's what I have (from System Information screen):
Virtualmin version 3.64 Pro

Package updates All Virtualmin packages are up to date.

If I'm not up to date, then VM doesn't know it.

Mon, 02/23/2009 - 13:23 (Reply to #3)
andreychek

Yeah, there's been two releases since then.

Does it show up if you try to do a package update from the command line -- for example, "yum update" on RHEL/CentOS, or "apt-get update && apt-get upgrade" on Debian/Ubuntu?
-Eric

Mon, 02/23/2009 - 13:28 (Reply to #4)
tbirnseth

Nope.. Yum update seems to get everything else though on my test server...

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
kernel i686 2.6.26.8-57.fc8 updates-newkey 18 M
kernel-devel i686 2.6.26.8-57.fc8 updates-newkey 5.3 M
Updating:
ImageMagick i386 6.3.5.10-1.fc8 updates-newkey 4.0 M
NetworkManager i386 1:0.7.0-0.12.svn4326.fc8 updates-newkey 934 k
NetworkManager-glib i386 1:0.7.0-0.12.svn4326.fc8 updates-newkey 167 k
NetworkManager-gnome i386 1:0.7.0-0.12.svn4326.fc8 updates-newkey 362 k
anacron i386 2.3-58.fc8 updates-newkey 39 k
autofs i386 1:5.0.2-31 updates-newkey 865 k
bluez-utils i386 3.35-5.fc8 updates-newkey 469 k
bluez-utils-alsa i386 3.35-5.fc8 updates-newkey 34 k
bluez-utils-cups i386 3.35-5.fc8 updates-newkey 29 k
cups i386 1:1.3.9-2.fc8 updates-newkey 3.5 M
cups-libs i386 1:1.3.9-2.fc8 updates-newkey 197 k
curl i386 7.18.2-7.fc8 updates-newkey 293 k
curl-devel i386 7.18.2-7.fc8 updates-newkey 218 k
db4 i386 4.6.21-3.fc8 updates-newkey 587 k
db4-cxx i386 4.6.21-3.fc8 updates-newkey 618 k
db4-devel i386 4.6.21-3.fc8 updates-newkey 7.6 M
e2fsprogs i386 1.40.4-3.fc8 updates-newkey 610 k
e2fsprogs-devel i386 1.40.4-3.fc8 updates-newkey 644 k
e2fsprogs-libs i386 1.40.4-3.fc8 updates-newkey 138 k
elfutils i386 0.137-3.fc8 updates-newkey 226 k
elfutils-libelf i386 0.137-3.fc8 updates-newkey 58 k
elfutils-libelf-devel i386 0.137-3.fc8 updates-newkey 24 k
elfutils-libs i386 0.137-3.fc8 updates-newkey 193 k
enscript i386 1.6.4-9.fc8 updates-newkey 465 k
firefox i386 2.0.0.19-1.fc8 updates-newkey 21 M
freetype i386 2.3.5-5.fc8 updates-newkey 331 k
gnome-python2-extras i386 2.19.1-20.fc8 updates-newkey 50 k
gnome-python2-gtkhtml2 i386 2.19.1-20.fc8 updates-newkey 18 k
gnome-python2-libegg i386 2.19.1-20.fc8 updates-newkey 56 k
gnutls i386 1.6.3-5.fc8 updates-newkey 397 k
gnutls-devel i386 1.6.3-5.fc8 updates-newkey 948 k
iproute i386 2.6.26-2.fc8 updates-newkey 843 k
kernel-headers i386 2.6.26.8-57.fc8 updates-newkey 753 k
libc-client i386 2007d-1.fc8 updates-newkey 670 k
libglade2 i386 2.6.2-4.fc8 updates-newkey 64 k
libgnomecanvas i386 2.20.1-3.fc8 updates-newkey 228 k
libnfnetlink i386 0.0.39-3.fc8 updates-newkey 23 k
libpng i386 2:1.2.33-1.fc8 updates-newkey 249 k
libpurple i386 2.5.2-1.fc8 updates-newkey 7.2 M
libsmbclient i386 3.0.33-0.fc8 updates-newkey 897 k
libxml2 i386 2.7.2-2.fc8 updates-newkey 828 k
libxml2-devel i386 2.7.2-2.fc8 updates-newkey 1.3 M
libxml2-python i386 2.7.2-2.fc8 updates-newkey 405 k
logwatch noarch 7.3.6-22.fc8 updates-newkey 319 k
net-snmp i386 1:5.4.1-8.fc8 updates-newkey 699 k
net-snmp-libs i386 1:5.4.1-8.fc8 updates-newkey 1.2 M
nspr i386 4.7.3-1.fc8 updates-newkey 119 k
nspr-devel i386 4.7.3-1.fc8 updates-newkey 112 k
nss i386 3.12.2.0-1.1.fc8 updates-newkey 1.2 M
nss-devel i386 3.12.2.0-1.1.fc8 updates-newkey 226 k
nss-tools i386 3.12.2.0-1.1.fc8 updates-newkey 1.2 M
nss_compat_ossl i386 0.9.4-2.fc8 updates-newkey 44 k
ntfs-3g i386 2:1.5012-4.fc8 updates-newkey 192 k
paps i386 0.6.8-8.fc8 updates-newkey 32 k
paps-libs i386 0.6.8-8.fc8 updates-newkey 23 k
perl-IO-Socket-SSL noarch 1.18-1.fc8 updates-newkey 65 k
php-Smarty noarch 2.6.20-2.fc8 updates-newkey 176 k
pidgin i386 2.5.2-1.fc8 updates-newkey 1.2 M
postgresql-libs i386 8.2.11-1.fc8 updates-newkey 198 k
python-genshi i386 0.5.1-1.fc8 updates-newkey 509 k
ql23xx-firmware noarch 3.03.27-1.fc8 updates-newkey 140 k
ql2400-firmware noarch 4.04.05-1.fc8 updates-newkey 188 k
samba i386 3.0.33-0.fc8 updates-newkey 2.8 M
samba-client i386 3.0.33-0.fc8 updates-newkey 4.5 M
samba-common i386 3.0.33-0.fc8 updates-newkey 7.2 M
selinux-policy-targeted noarch 3.0.8-127.fc8 updates-newkey 1.7 M
smolt noarch 1.1.1.1-8.fc8 updates-newkey 243 k
smolt-firstboot noarch 1.1.1.1-8.fc8 updates-newkey 14 k
squid i386 7:2.6.STABLE22-1.fc8 updates-newkey 1.4 M
systemtap i386 0.8-1.fc8 updates-newkey 1.2 M
systemtap-runtime i386 0.8-1.fc8 updates-newkey 52 k
vixie-cron i386 4:4.2-9.fc8 updates-newkey 99 k
xterm i386 238-1.fc8 updates-newkey 361 k
yelp i386 2.20.0-15.fc8 updates-newkey 711 k
yum noarch 3.2.20-5.fc8 updates-newkey 836 k
Removing:
kernel i686 2.6.23.1-42.fc8 installed 45 M
kernel-devel i686 2.6.23.1-42.fc8 installed 31 M
Installing for dependencies:
perl-Net-LibIDN i386 0.10-1.fc8 updates-newkey 35 k

Transaction Summary
================================================================================

Mon, 02/23/2009 - 13:30 (Reply to #5)
tbirnseth

And specifically:
[root@linux1 named]# yum update virtualmin
Setting up Update Process
No Packages marked for Update
[root@linux1 named]# yum update webmin
Setting up Update Process
No Packages marked for Update
[root@linux1 named]#

Mon, 02/23/2009 - 13:38 (Reply to #6)
andreychek

The Virtualmin package is named virtual-server, but I suspect that wouldn't be there either based on what you've shown.

If you look in /etc/yum.repos.d/, do you see a Virtualmin repo listed in there? If so, can you post it (minus your license/serial numbers)?
-Eric

Mon, 02/23/2009 - 13:49 (Reply to #7)
tbirnseth

On my test system I have a virtualmin.repo.rpmsave but no virtualmin.repo.
On my production system I do have a virtualmin.repo.

Not sure which numbers are license info so zaped a couple of things with 'XXXXX' and 'xxxx'.

Production System (virtualmin.repo):
[virtualmin]
name=Red Hat Enterprise $releasever - $basearch - Virtualmin
baseurl=http://XXXXXX:xxxxxLNKP@software.virtualmin.com/rhel/$releasever/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

[virtualmin-universal]
name=Virtualmin Distribution Neutral
baseurl=http://XXXXXX:xxxxLNKP@software.virtualmin.com/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1
includepkgs=webmin

Test System (virtualmin.repo.rpmsave):

Contents of the virtualmin.repo.rpmsave are:
[virtualmin]
name=Fedora Core $releasever - $basearch - Virtualmin
baseurl=http://XXXXXX:xxxxLNKP@software.virtualmin.com/fedora/$releasever/$basearch/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

[virtualmin-universal]
name=Fedora Core $releasever - $basearch - Virtualmin Distribution Neutral
baseurl=http://XXXXX:xxxxLNKP@software.virtualmin.com/universal/
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-virtualmin
gpgcheck=1

Mon, 02/23/2009 - 13:54 (Reply to #8)
andreychek

Yeah, your test system not having a virtualmin.repo file explains why running yum update on it doesn't show any available updates -- if you run "yum update" on your production system, does it show any Virtualmin updates?

As far as the test system goes, you may want to rename virtualmin.repo.rpmsave to virtualmin.repo.
-Eric

Mon, 02/23/2009 - 14:05 (Reply to #9)
tbirnseth

Here's info from the production server. It doesn't see anything new either.

[root@ezms1 postfix]# yum update virtual-server
Loaded plugins: downloadonly, rhnplugin, security
Excluding Packages in global exclude list
Finished
Reducing Virtualmin Distribution Neutral to included packages only
Finished
Skipping security plugin, no data
Setting up Update Process
No Packages marked for Update

Mon, 02/23/2009 - 14:08 (Reply to #10)
andreychek

On your production server, what does this show:

rpm -qa | grep virtual-server

Mon, 02/23/2009 - 14:15 (Reply to #11)
tbirnseth

Production server shows:

[root@ezms1 postfix]# rpm -qa | grep virtual-server
ust-virtual-server-theme-6.5-1
wbt-virtual-server-mobile-1.9-1
wbt-virtual-server-theme-6.5-2
wbm-virtual-server-3.64-2
[root@ezms1 postfix]#

Mon, 02/23/2009 - 14:25 (Reply to #12)
andreychek

Okay, so try typing:

yum install wbm-virtual-server

On your production box.
-Eric

Mon, 02/23/2009 - 14:34 (Reply to #13)
tbirnseth

Sigh.. Feel like such a bother... Seems like VM should know when it's current or not. It used to notify me until the exclude was put into Rackspace's local repository to exclude webmin since their version is crippled for VM. Here's the result:

[root@ezms1 postfix]# yum install wbm-virtual-server
Loaded plugins: downloadonly, rhnplugin, security
Excluding Packages in global exclude list
Finished
Reducing Virtualmin Distribution Neutral to included packages only
Finished
Setting up Install Process
Parsing package install arguments
Package 2:wbm-virtual-server-3.64-2.noarch installed and not available
Nothing to do

Mon, 02/23/2009 - 14:40 (Reply to #14)
andreychek

Okay, can you email me a copy of your production virtualmin.repo file?

I want to verify that the license and serial # are working properly -- if something went awry when them, that might be able to cause the issues you're seeing.

You can email it to eric@virtualmin.com -- if you can, include a link to this forum thread in the message body.

Thanks,
-Eric

Mon, 02/23/2009 - 17:12 (Reply to #15)
andreychek

Tony and I have been working on this via email -- there was a line in the repo file that was causing trouble:

includepkgs=webmin

Removing that resolved the problem on his production box.

The test box seems to have different issues with dependency checking that we're working out.
-Eric

Mon, 02/23/2009 - 18:20 (Reply to #16)
andreychek

The trouble with the test server dependencies was resolved by uninstalling Usermin and the related themes, clearing all the yum cache (yum clean all), and reinstalling the latest Usermin and theme packages.
-Eric

Topic locked