Webmin version 1.800 released

17 posts / 0 new
Last post
#1 Wed, 05/25/2016 - 20:27
Joe's picture

Webmin version 1.800 released

Howdy all,

I've just rolled out version 1.800 of Webmin to all repositories. This includes a security fix for Authentic Theme, so we recommend updating immediately. If you cannot update Webmin at this time, switch the Webmin theme to Virtualmin Framed Theme (you can do that in Webmin->Webmin->Webmin Configuration->Webmin Themes; doing it in the per-user theme configuration will not mitigate this issue).

There are other changes in 1.800, but changelog will follow later. Security updates kinda take precedence over everything else.



Thu, 05/26/2016 - 01:37

Just upgraded and now getting

HTTP/1.0 500 Perl execution failed Server: MiniServ/1.800 Date: Thu, 26 May 2016 06:32:39 GMT Content-type: text/html; Charset=iso-8859-1 Connection: close Error - Perl execution failed

Can't locate auto/Net/SSLeay/set_tlsext_.al in @INC (@INC contains:

CentOS 6.7 Latest Virtualmin/Webmin and Authentic Theme

Thu, 05/26/2016 - 02:42


COMPATIBILITY: not available in Net-SSLeay-1.45 and before; requires at least openssl-0.9.8f

Thu, 05/26/2016 - 02:50

updated Net::SSLeay using: cpan > install Net::SSLeay

restarted webmin and all ok again

Thu, 05/26/2016 - 04:13

Same error here after update of server to WebMin1.80 (Ubuntu Server 12.04 with latest Virtualmin/Webmin and Authentic Theme). Issue not gone away after reboot - initial log-in shows "wait" animation continuously. On coming back to the status (home) screen am seeing the same error message as described by CollinSchwagele.

Thu, 05/26/2016 - 11:56

I'm not using Authentic theme and only tried it before on this particular server but didn't like it so not sure if this is related but now after updating I'm getting spammed with these emails now:

Can't locate auto/Net/SSLeay/set_tlsext_.al in @INC (@INC contains: /usr/libexec/webmin /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . ..) at ../web-lib-funcs.pl line 7350  ...propagated at http-monitor.pl line 67.

When I go into Webmin into Perl Modules and try to install Net::SSLeay via Cpan it seems like it tries to install the yum package which is apparently already installed.

Thu, 05/26/2016 - 11:59


There's a report about that issue here:


For anyone seeing this issue, and also comfortable with a text editor, could you try this patch here and let us know if this helps:


We'll likely be pushing out a new Webmin release here soon with that fix.


Thu, 05/26/2016 - 12:52

Thank you =)

Thu, 05/26/2016 - 18:31

It worked as expected (like a charm).

Thank U, guys,

Gaetano Dentamaro
President, CEO WOW SpA - http://wow.pe/
+39 340-2417.728 Skype: bittertooth
That government is best which governs least.
Henry David Thoreau

Sat, 05/28/2016 - 16:53

We got hacked though webmin because we were not alerted of the latest security issue.

Please explain what was exactly fixed and how the security issue was exploited. Full disclosure please.

Sun, 05/29/2016 - 23:01 (Reply to #10)
Joe's picture

Sorry you got bit by this one. It caught us by surprise, as well; and it is the worst vulnerability to ship in a Webmin package in many years. Luckily, it only effected a couple of devel releases; unfortunately, we'd uncharacteristically rolled those releases into the Virtualmin repos because of unrelated changes.

We did everything we could to resolve it quickly and to let everyone know they needed to update; Jamie bought satellite Internet while flying over the Atlantic in order to be able to roll it out. We posted to every communication method we could think of for notifying folks of updates (Twitter @virtualmin, IRC #virtualmin, here in the news forum, the Webmin mailing list, and on a post on Low End Talk that was discussing the issue). And, of course, it would have shown up in your available updates within Virtualmin. From the time I learned of the issue to it rolling into the repositories was around three hours (much of that was figuring out how to reach Jamie to get a new Webmin rolled).

So, it's earlier than I wanted to discuss the details of the problem; but we always try to practice responsible disclosure in a timely manner. We'll post a proper security notice about it soon, but I guess folks who are paying attention have already updated, and people who aren't paying attention are already in trouble.

In short: Authentic theme, as included in two Webmin devel releases (1.794 and 1.795) failed to properly sanitize user input, allowing arbitrary code execution on unauthenticated requests. There was a recently added feature in the theme (specifically a login notifications feature); it was added since we last audited Authentic Theme for security. It did not ship with any Webmin stable release, but because it happened to coincide with several updates for Let's Encrypt support and Ubuntu 16.04 bug fixes. we had rolled these devel versions into the Virtualmin repos. The feature in question accept user-provided data for inclusion in the email notification, which allowed code execution through use of shell backticks.

Our resolution has been to remove that feature entirely from the theme (it belongs in the User module, anyway). We are also in the midst of a more thorough code review of Authentic Theme.


Check out the forum guidelines!

Mon, 05/30/2016 - 03:04 (Reply to #11)

Thank you for the clarifications Joe.

From what you explain and what I could observe, I see several issues that helped this disaster.

  1. Severe "beginners" bug to critical part of code
  2. Adding not fully tested code to release
  3. Not clear communication channels to alert your users

All these issues were avoidable. The first 2 can happen in any dev process. The last one is a pure mess.

You have several forums, one on virtualmin.com, one on webmin using source forge forums (any other?). Several mailing lists, one on source forge (the update was not posted there!!!), one on webmin itself (other one?). Its a MESS!!!

Please bring some coherence to your communication channels to avoid future issues?

I have been a happy user and customer of Webmin, Cloudmin and Virtualmin for now almost 10 years and that won't change, but we need absolutely avoid future fatal incidents like that one.

Best regards.

Mon, 05/30/2016 - 19:10 (Reply to #12)
Joe's picture

I'm not sure I understand what you're asking for with regard to 3? We posted to every communication channel we have. This included a mailing list, a forum, IRC, and twitter; you'd only need to follow one of them. What else should we do?


Check out the forum guidelines!

Tue, 05/31/2016 - 02:27 (Reply to #13)

To what mailing list did you post? I see this one https://sourceforge.net/p/webadmin/mailman/webadmin-announce/ but the announcement is not there, however the mailing list is active. Latest post is 2016-03-13 00:17:29 Webmin 1.790 released

There is http://webmail.webmin.com/ mailing list (link from http://www.webmin.com/community.html), but have no idea what is the required login and how to obtain it.

Then there are the forums, https://sourceforge.net/p/webadmin/discussion/ linked by http://www.webmin.com/community.html) and virtualmin forms (here).

Thats what I call mess. Which one to use for what? Which mailing list is the actual mailing list, which forum is the actual forum?

Tue, 05/31/2016 - 20:04 (Reply to #14)
Joe's picture

You're right, I should have also posted to the webmin-announce list. I'd forgotten it existed (Jamie usually does the announcements, but he was on a plane with very high latency network). I rarely post to any of the Webmin mailing lists these days (I'm kept too busy with Virtualmin stuff), so I am kinda out of the loop on those. That was a mistake on my part. We're working on making the Webmin release process accessible to people other than Jamie. Because of the circumstances of Jamie not having good connectivity, and more of the release process being left to me, things were weird this time around.

As for the sourceforge forum, I think that one probably needs to die. Nobody pays close attention to it, at all, and I'd also forgotten it existed (we were feeling pretty distressed). I'm not sure what we'd want to replace it with. I think I only look at that one maybe a couple times a year.

So, in short:

  • webmin-announce should have gotten a message at the same time. I forgot about it.
  • SourceForge forums are unmaintained, generally speaking, and I might ask Jamie to remove that link (though he'll probably want a good alternative before doing so, and I don't know what that alternative might be. But, you shouldn't go there expecting news about Webmin; it is maybe useful for asking questions, but our Webmin forum here is much more active for that.
  • This issue primarily effected Virtualmin users, because it was not an official Webmin release (it was a development release, that unfortunately went out Virtualmin users because of new features and bugfixes). So, my focus was on notifying Virtualmin users. This forum is the right one for news about Virtualmin. It is possible to subscribe to emails from just this specific "News" forum. But, perhaps we also need a virtualmin-announce or virtualmin-security mailing list (but that means we have even more sources for information).

Where are you seeing a link to webmail.webmin.com? That's Jamie's Usermin install. Nobody has access to that except Jamie and his family. It's definitely not a way to get news about Webmin. ;-)

Anyway, we're in the middle of another audit and code review of Authentic theme, and we've been in the midst of an overhaul of Webmin (with some attention focused on security safeguards). Webmin has a pretty good security record (not flawless, but not bad for something so large and such a ripe target for abuse), but this was a rough wake up call about how themes interact with Webmin. It shouldn't be so easy for a simple coding error in a theme to poke a giant hole in Webmin itself. People making themes are more often designers first and coders second, and that can be a recipe for disaster in an administrative tool.


Check out the forum guidelines!

Wed, 06/01/2016 - 05:51 (Reply to #15)

As I said I am happy webmin/cloudmin/virtualmin users. Jamie has always been very quick to respond and fix bugs and his dedication is unquestionable and its part of Webmin quality.

However, Its very hard to have single person responsible for such important project, especially when so many people/companies depend from it. What if he is not here. He has the right to be on vacation, he can be sick or even worst...

Single incidents like that can undermine very much the credibility and confidence of your users/customers. Especially when the response to such an incident was unprepared and sorry to insist, pretty much amateurish.

I am sure you will put in place whatever is needed to fix it, especially to clarify and unify your communication channels.

About the forums, why just not use these forums?

For the "private" mailing list its linked several times here: http://www.webmin.com/community.html whenever mailing list is mentioned.

Sat, 06/04/2016 - 11:11
unborn's picture

I would suggest even better - post it on your blog (with rss function) - that way would be great, fast and accurate. I mean guys you have a blog but you not really using it. It would be really useful to point whats include new update and why everyone should update. As it would be outside of forums it wouldnt make it mess in forums..rss users would be notified asap as you publish it.. easy..

Configuring/troubleshooting Debian servers is always great fun

Topic locked