Ezinsukwini ezithile ezedlule kukhishwe inguqulo entsha yeWebmin ngenhloso yokunciphisa ubungozi obukhonjwe njenge-backdoor (CVE-2019-15107), etholakala kuzinguqulo ezisemthethweni zephrojekthi, ezisatshalaliswa ngeSourceforge.
Umnyango ongemuva otholakele yayikhona ngezinguqulo kusukela ngo-1.882 kuya ku-1.921 okubandakanya (bekungekho ikhodi ene-backdoor endaweni yokugcina yama-git) futhi uvunyelwe ukwenza imiyalo ye-Shell engqubuzanayo ohlelweni olunezimpande kude ngaphandle kokuqinisekiswa.
Mayelana neWebmin
Okwalabo abangazi ngeWebmin kufanele bakwazi lokho Le yiphaneli yokulawula esekwe kuwebhu yokulawula amasistimu we-Linux. Inikeza isikhombimsebenzisi esibonakalayo esisebenziseka kalula ukuphatha iseva yakho. Izinhlobo zakamuva zeWebmin nazo zingafakwa futhi ziqhutshwe ezinhlelweni zeWindows.
Nge-Webmin, ungashintsha amasethingi ejwayelekile wephakeji endizeni, kufaka phakathi amaseva wewebhu kanye nemininingwane, kanye nokuphatha abasebenzisi, amaqembu, namaphakheji wesoftware.
I-Webmin ivumela umsebenzisi ukuthi abone izinqubo ezisebenzayo, kanye nemininingwane mayelana namaphakeji afakiwe, phatha amafayela we-log system, hlela amafayela wokumisa we-interface yenethiwekhi, engeza imithetho ye-firewall, lungiselela indawo yesikhathi newashi lohlelo, engeza amaphrinta nge-CUPS, uhlu olufakiwe amamojula we-Perl, lungiselela i-SSH noma i-Server DHCP, kanye nomphathi werekhodi wesizinda se-DNS.
I-Webmin 1.930 ifika ukuqeda umnyango wangemuva
Uhlobo olusha lwe-Webmin version 1.930 lukhishwe ukubhekana nobungozi bokwenza ikhodi ekude. Lokhu kuba sengozini kunamamojula wokuxhaphaza atholakala esidlangalaleni, yini kubeka izinhlelo eziningi zokuphatha ze-UNIX engcupheni.
Ukwelulekwa kwezokuphepha kukhombisa ukuthi inguqulo 1.890 (CVE-2019-15231) isengozini ekucushweni okuzenzakalelayo, ngenkathi ezinye izinhlobo ezithintekile zidinga ukuthi inketho "shintsha iphasiwedi yomsebenzisi" inikwe amandla.
Mayelana nokuba sengozini
Umhlaseli angathumela isicelo esibi se-http ekhasini lesicelo sokusetha kabusha iphasiwedi ukufaka ikhodi bese uthatha uhlelo lwewebhu lewebhu. Ngokombiko wokuba sengozini, umhlaseli akadingi igama lomsebenzisi noma iphasiwedi evumelekile ukusizakala ngaleli phutha.
Ukuba khona kwalesi sici kusho ukuthi eLokhu kuba sengozini kungenzeka kube khona eWebmin kusukela ngoJulayi 2018.
Ukuhlaselwa kudinga ukuba khona kwetheku lenethiwekhi evulekile neWebmin nomsebenzi kusixhumi esibonakalayo sewebhu somsebenzi ukushintsha iphasiwedi ephelelwe yisikhathi (ngokuzenzakalela inikwe amandla ekwakhiweni kwe-1.890, kepha kukhutshaziwe kwezinye izinhlobo).
Inkinga yalungiswa ekuvuseleleni i-1.930.
Inkinga itholwe kumbhalo we-password_change.cgi, lapho umsebenzi we-unix_crypt usetshenziselwa ukuqinisekisa iphasiwedi endala efakwe kwifomu lewebhu, elithumela iphasiwedi etholwe kumsebenzisi ngaphandle kokweqa izinhlamvu ezikhethekile.
Esigodini se-git, lo msebenzi uyisixhumanisi esikwisigaba se-Crypt :: UnixCrypt futhi akuyona ingozi, kepha kufayela le-sourceforge elinikezwe ikhodi, ikhodi ibizwa ngokuthi efinyelela ngqo / njll / isithunzi, kepha yenza njalo ngokwakhiwa kweShell.
Ukuhlasela, vele ukhombise uphawu «|» ensimini ne-password yakudala futhi ikhodi elandelayo izosebenza ngamalungelo empande kuseva.
Ngokwesitatimende esivela kubathuthukisi beWebmin, ikhodi enonya ibisetshenziswa esikhundleni somphumela wobungozi bengqalasizinda yephrojekthi.
Imininingwane kusazomenyezelwa, ngakho-ke akucaci ukuthi ngabe ukugenca bekukhawulelwe ekuphatheni i-akhawunti eSourceforge noma ngabe kuthinte ezinye izinto zengqalasizinda yomhlangano nentuthuko.
Le nkinga iphinde yathinta nokwakhiwa kwe-Usermin. Njengamanje wonke amafayela ebhuthi akhiwe kabusha kusuka eGit.