From patchwork Tue Oct 14 13:28:21 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72250 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 49765CCD184 for ; Tue, 14 Oct 2025 13:28:30 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.web11.16366.1760448508510996735 for ; Tue, 14 Oct 2025 06:28:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RD3vFmVs; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-46e61ebddd6so57686885e9.0 for ; Tue, 14 Oct 2025 06:28:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760448507; x=1761053307; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=nJapQa1jEB8aaVyi29nUVADpCERfvJM1ESpR9qP6kI8=; b=RD3vFmVsLSPjJgB9v0qSYMC3/o9ulGv9rl1ZP4CBaSWDC5TGcSg2lIJZOiXo8uw32c K0XtUMmu0PgexgYaL6Z+2PA0WmKOk68ihGvq79eiVljd5Qg2Bgpk95FypVkZzL6cDVwl KadagBAdgiX+VWgnG3TppvagdEwCKvea8vka3xLLzgodoU9umQ+m0oMe+TlnnMTKFO5f EbA0enSXNmUygo8g/DPB/fDFPDPjW52tF10nD6pkPLcqX1MHIE1qC/crtUZzpwdtAhRJ zkDCL3HTqyBOdSbTyHVV4Hs66q8IOB9S81tzxr+EG0Kixfewq3KlgMqvUmlQ2Pn1ez3g 5jFA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760448507; x=1761053307; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nJapQa1jEB8aaVyi29nUVADpCERfvJM1ESpR9qP6kI8=; b=TVdFy2KQTkSKqSwmkkalW4olqOaQzc0U4a65maHK4GXmpOlDbAQ6Cv/Z78pd/rdxyR WjJR6UY8gtdcjti+2+WRGxiklZwXw+4ZD0tO7SB255Bqov2P7XieueLo/tMfxqB5IhwI AqEm+yuEhp1KY6KiC/xZbV0ST1KsXzpwyrZOQM/g3eEGAHJgBCVacWHHPUQ+T/0b4q0a rP9raJNbjhnEt6HaKacFLBXeMj83pqy6CXFzwJ4tMT6nHz7/f3U7b/vR309K8VCuwkui wSKa0xvd1U6A2D3kPvuTcZgpSp7v5twauFGovLaVzIU+Cmj+C8cNEZ18Zqgc69yRSqjL bQ2w== X-Gm-Message-State: AOJu0YyALY0XDw7Om1OY8kmaHOH4BEv2choRYcMCpzrHo4YXZJTPXaMq 2j9qMYaeBr7YBTyvRGSrBqypVmv8cpp/JrcwzwKpz0Rgd5DfcLc2CgWtTKR11g== X-Gm-Gg: ASbGncu08lz6Gqa1YIrX5UqSXCO0/lQZxSFh2eLD/980qLK/a9SASLDY0/5pvztLwjs YaJohdV50i+E7zbGYTZKxkD3BbxqJt+clvHsaBPikoH8P8ahYytXqMs+1S6C5mzZzW6Hn4iRXg3 C4vR4YQmgvBWsqD5ACtfyYTAR8KeBZ/KmiF9p8yG4VLaQe/eVpZEjlbL5sDQMzSVec2wK958HmL PzSH87AkrM858Bu7DiPMeyICsXsnxrq7+Co0lTZ503gBLoRaFLlfAP8FxYcDOmD1H31ETEXi1CC 5LEAe80G9iUm1sFPFhu8RicShIcbwCtkGTSiQCextniHQ3c+xkE5y6s4ofLIgLGluaVx9rVCxPH jw58cqGbJ+4ViFRfGh07ZyCPDSH6E1yyEuWe7kQJBtDfg6O2ZVUpkLeygS9pi X-Google-Smtp-Source: AGHT+IEzX9PFfxjB63tZ5ivDF7ersfejxkftmwSTlwWeq3XHeB6a5K0KNRP/hLds2aT4kWLkilci/g== X-Received: by 2002:a05:600c:8718:b0:46e:731b:db0f with SMTP id 5b1f17b1804b1-46fa9b08f09mr191007435e9.28.1760448506516; Tue, 14 Oct 2025 06:28:26 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46fb482b9easm247833025e9.1.2025.10.14.06.28.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 06:28:26 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 1/5] webmin: patch CVE-2017-15644, CVE-2017-15645 and CVE-2017-15646 Date: Tue, 14 Oct 2025 15:28:21 +0200 Message-ID: <20251014132825.1052635-1-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 13:28:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120604 Details: https://nvd.nist.gov/vuln/detail/CVE-2017-15644 https://nvd.nist.gov/vuln/detail/CVE-2017-15645 https://nvd.nist.gov/vuln/detail/CVE-2017-15646 Pick the patch mentioned in the nvd report (same patch is marked to fix all three vulnerabilities). Signed-off-by: Gyorgy Sarvari --- ...e-potentially-malicious-HTTP-headers.patch | 53 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 3 +- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Escape-potentially-malicious-HTTP-headers.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Escape-potentially-malicious-HTTP-headers.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Escape-potentially-malicious-HTTP-headers.patch new file mode 100644 index 0000000000..f5d1a7d0e5 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Escape-potentially-malicious-HTTP-headers.patch @@ -0,0 +1,53 @@ +From 5a06f972b1fd64f3da46187edf4998af0266a53b Mon Sep 17 00:00:00 2001 +From: Jamie Cameron +Date: Tue, 5 Sep 2017 10:35:44 -0700 +Subject: [PATCH] Escape potentially malicious HTTP headers + +CVE: CVE-2017-15644 CVE-2017-15645 CVE-2017-15646 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/0c58892732ee7610a7abba5507614366d382c9c9] + +Signed-off-by: Gyorgy Sarvari +--- + web-lib-funcs.pl | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl +index 1fcd96ab..df673bb7 100755 +--- a/web-lib-funcs.pl ++++ b/web-lib-funcs.pl +@@ -2308,7 +2308,7 @@ alarm(0); + $h = $main::download_timed_out if ($main::download_timed_out); + if (!ref($h)) { + if ($error) { $$error = $h; return; } +- else { &error($h); } ++ else { &error(&html_escape($h)); } + } + &complete_http_download($h, $dest, $error, $cbfunc, $osdn, $host, $port, + $headers, $ssl, $nocache); +@@ -2336,7 +2336,7 @@ if ($line !~ /^HTTP\/1\..\s+(200|30[0-9]|400)(\s+|$)/) { + alarm(0); + &close_http_connection($_[0]); + if ($_[2]) { ${$_[2]} = $line; return; } +- else { &error("Download failed : $line"); } ++ else { &error("Download failed : ".&html_escape($line)); } + } + my $rcode = $1; + &$cbfunc(1, $rcode >= 300 && $rcode < 400 ? 1 : 0) +@@ -2382,7 +2382,7 @@ if ($rcode >= 300 && $rcode < 400) { + # Assume relative to same dir .. not handled + &close_http_connection($_[0]); + if ($_[2]) { ${$_[2]} = "Invalid Location header $header{'location'}"; return; } +- else { &error("Invalid Location header $header{'location'}"); } ++ else { &error("Invalid Location header ".&html_escape($header{'location'})); } + } + else { + &close_http_connection($_[0]); +@@ -2411,7 +2411,7 @@ else { + if (!&open_tempfile(PFILE, ">$_[1]", 1)) { + &close_http_connection($_[0]); + if ($_[2]) { ${$_[2]} = "Failed to write to $_[1] : $!"; return; } +- else { &error("Failed to write to $_[1] : $!"); } ++ else { &error("Failed to write to ".&html_escape($_[1])." : ".&html_escape("$!")); } + } + binmode(PFILE); # For windows + while(defined($buf = &read_http_connection($_[0], 1024))) { diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index 35ec09daea..bc71c74474 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -19,7 +19,8 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://remove-python2.3.patch \ file://mysql-config-fix.patch \ file://webmin.service \ - " + file://0001-Escape-potentially-malicious-HTTP-headers.patch \ + " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b" SRC_URI[sha256sum] = "c66caa9e4cb50d5447bc8aceb7989d2284dde060278f404b13e171c7ce1690e1" From patchwork Tue Oct 14 13:28:22 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72249 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A5A0CCD194 for ; Tue, 14 Oct 2025 13:28:30 +0000 (UTC) Received: from mail-wr1-f47.google.com (mail-wr1-f47.google.com [209.85.221.47]) by mx.groups.io with SMTP id smtpd.web11.16367.1760448509134584710 for ; Tue, 14 Oct 2025 06:28:29 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jwobLIci; spf=pass (domain: gmail.com, ip: 209.85.221.47, mailfrom: skandigraun@gmail.com) Received: by mail-wr1-f47.google.com with SMTP id ffacd0b85a97d-3f0308469a4so2928538f8f.0 for ; Tue, 14 Oct 2025 06:28:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760448507; x=1761053307; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=T0mcQUVw7egCWPdIodM2lj7P56PiztHOdlc/SNUdQJA=; b=jwobLIciXiMGkT9d24XrP89TV7CNbqLDbBdtqUD3CAwTLA3Tt6WxC0pWCXLXXspMpA kAZKkHrB5AzV/UpxXB5rGinttgz+jCJ6yzlJiQS9l+av93G/pDELy+MYxfPognTonOq3 K53qOLz/obGpWztSubqeeAAlWapx9MNeuyjl9lPlUcfWXNVOp9gRm92Fid7mglpI86hl XWirQRCzKxOtGb47kI6GKqEPYf5qRf+GZictDbGOe45ViYOcZoFGmWtD9qmPsbejqgqo /EXNUoQxvFDTj0TDsA06SB/manq6ZjLfBn/Q9gP/zCovxgZ5/ylC0PVqNiiHN4htwRkO i8tQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760448507; x=1761053307; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T0mcQUVw7egCWPdIodM2lj7P56PiztHOdlc/SNUdQJA=; b=GmUdmr/eM1kmvTYbFpSD3m6WOVAacV7o4pDEqakmnrwwQueES6UGrNQFBsbo3WQPdJ n9Kwrtmf4/dgWfmRUX68h9wy32Pooozf6PFyajfmZVLvkX67Wp1Ezad4AKJda5AP5lzH 6cRC5PEod9oFX5SW2G2+v8y0kqLnPkLB3dfHm5TuPmjD1fFsBpMpPFNsFW9NKsPzTrET GJng5vaWrI7TW3tKuvOsdYxduWWt8IiIt29F/gPKZ+pFY7R3m0w8ViMT2LgTtIHK3eiv 4fsvmPG4j9gpzAm/nvvz7BdhzFx/8TRh0vf0TIHqYpYwYHMRmXLUAbkIQokhYWDRiDOC bP1Q== X-Gm-Message-State: AOJu0YwcvEYxurcesm5YjiLZ4TVOk96A8yLyKEBsLCs4JXJddnDVWmqm 1D4+Vs+b6FAa7qZ0dkYs/c3A89aO5pX5qsWvWu4XQox7zPQiyP0QZy9n62JSaw== X-Gm-Gg: ASbGncsoS7moQEXmNg8Le48m6pO05QsoRn+jMcT9f51ptiFrJ3OXCy1KpK9N7OqYLCv AKMaVrRruSrpU0vFkzVUVxxUwaoOD8ewKgwwqxWMpIsETaa3mxV2Kqcou7qhVhwcPqzUXCucKWz MMeq6Y11EItJjAdr6RlebVOYgB+exBRu0VrALJUYXddivoEIlwFnoGFAdOXAenICYPYUuvyvtlw w+2C6XXcb5pDf9j6m1JqB27rCfrEBj/D1np3qwyQigrdHuJqgoOPVrzKdzYzCOwNZr75do1Im+a qOkSw7dpZFDif2VfZPkeAkPj0uIALCITHaiTForC7f0MXKo9HGWSkdbqBnQFxUIHhSAFQ+bOjfl VxaZU4rHdXmv1Nwjh7/PyxEnSBkNBf47zyyIyuIOoKmyQBRBkVA== X-Google-Smtp-Source: AGHT+IHazqgg4dZQcvJHMLImsD9fziQZ/vLwOXsCXHlgeSfui8n4CaFyy6uZbwJrPGh7VUeofl1FSw== X-Received: by 2002:a05:6000:4284:b0:3f9:1571:fe04 with SMTP id ffacd0b85a97d-4266e8de175mr16175088f8f.48.1760448507198; Tue, 14 Oct 2025 06:28:27 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46fb482b9easm247833025e9.1.2025.10.14.06.28.26 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 06:28:26 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 2/5] webmin: patch CVE-2017-17089 Date: Tue, 14 Oct 2025 15:28:22 +0200 Message-ID: <20251014132825.1052635-2-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014132825.1052635-1-skandigraun@gmail.com> References: <20251014132825.1052635-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 13:28:30 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120605 Details: https://nvd.nist.gov/vuln/detail/CVE-2017-17089 Pick the patch referenced in the nvd report. Signed-off-by: Gyorgy Sarvari --- ...0001-HTML-escape-command-description.patch | 29 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 30 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch new file mode 100644 index 0000000000..f4078c7f4f --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-HTML-escape-command-description.patch @@ -0,0 +1,29 @@ +From 0d5e731a173767e7e4ea2051a7a33c8e5cc57880 Mon Sep 17 00:00:00 2001 +From: Jamie Cameron +Date: Mon, 27 Nov 2017 08:50:15 -0800 +Subject: [PATCH] HTML escape command description + +CVE: CVE-2017-17089 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/a9c97eea6c268fb83d93a817d58bac75e0d2599e] + +Signed-off-by: Gyorgy Sarvari +--- + custom/run.cgi | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/custom/run.cgi b/custom/run.cgi +index 327de410..375b041b 100755 +--- a/custom/run.cgi ++++ b/custom/run.cgi +@@ -40,8 +40,9 @@ if ($cmd->{'format'} ne 'redirect' && $cmd->{'format'} ne 'form') { + print "\n"; + } + else { +- &ui_print_unbuffered_header($cmd->{'desc'}, $text{'run_title'}, +- "", -d "help" ? "run" : undef); ++ &ui_print_unbuffered_header( ++ &html_escape($cmd->{'desc'}), $text{'run_title'}, ++ "", -d "help" ? "run" : undef); + } + } + diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index bc71c74474..784e3b69b9 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -20,6 +20,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://mysql-config-fix.patch \ file://webmin.service \ file://0001-Escape-potentially-malicious-HTTP-headers.patch \ + file://0001-HTML-escape-command-description.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b" From patchwork Tue Oct 14 13:28:23 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72251 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 371A7CCD195 for ; Tue, 14 Oct 2025 13:28:40 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.web10.16243.1760448509773590396 for ; Tue, 14 Oct 2025 06:28:30 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EyHkEckM; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-46e33b260b9so43163715e9.2 for ; Tue, 14 Oct 2025 06:28:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760448508; x=1761053308; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=r4nriA1AqW0guOiLC+keFrKmHLDCEGuYEQdG3753tz4=; b=EyHkEckMPFpold4nVSGR2A0US3Z5VrWIztnsmXozJSEA3OM0XsWorMduAsXgDQlbAV jTHMkLMPbAMvUBly+zeN6hOfJUjAGh6WA7y5GJhcUhugdls6fiaaFRkLW3Cp3X0Ow7tz vJbOSfz26r8ZWxBAr0luYaKWZk/joFuSaHUWNwciUpacqx/+UV6wt6J4NGPnq3CJQqt7 xBa/YkrS3H2hqo9mz1As6KuG/o37ZzO0eoi3ee0BUJrmmbzMZOrjB6cJ/9F4m6CFXBcm iu+AA3ee8aDagfKNE+AZOpBYAGxWYDc4YbvR4XfJXOXm5rz4Pe3OQuyCk/Fo6YI4wf6v zQbw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760448508; x=1761053308; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=r4nriA1AqW0guOiLC+keFrKmHLDCEGuYEQdG3753tz4=; b=FYZ/wtFfojpPK3SMPSkYZ10XWvrYuKIPAGBDgLEEolKgFrArpdgJ229Wb8igNO2h77 GfRsgnUIS+1DqA/zUoYOtSlQaXGH+UhaAGXKZL7T8Tyy505RrXhaEpTX5PRq8pjej3yx dRGL844DBkfZT2HEDvi6nHEXx7xW0IXFB/8cqNGwNs+636W5WkG8G07+lyPAVCb3Sydc s6bRvYMKdkQALaRujlGl8LYLwBUOqGmuCRO4mwBYLK73sq0Esfjxx+ZA11aZKUi6j0QD 2Sf6HL4/o/Zdh4fEnsKbfpSwRLFaAK/WrafVNMjvSzfhE7zz0EQD/axy+6tGk8MVA3DW Dc2Q== X-Gm-Message-State: AOJu0YxrS/Yl70PVKDJyJId7hMGgrEfXqd25NmBbNQ2f6t/nPs7zOKEZ A+2dFGo+/BfCIF0anWfpQTnS9/TNRZr1DhoFq08WLtskwTmIyG+7yZiXE9BiXA== X-Gm-Gg: ASbGncu4KGCTCCoVNHtArYY8BJ6M7XwoU3qu0aVJx1BSDNxuO/B9rYwkn7vNwmysrIV qUbFben6FaBGdlX/YUmKOPH/sR79vRaMSl7oK4Y/QGuq6tCA4+Fn2bgSOfLPV7Zx6j8Tm02ApkT pg+Yb2U+cymwyzKKL0OCmZSoZneb5nzNYev+0IsRd9aaxh0jpAfg0U8M6439bBCCaZX43BeD2/m Bk4egG3mq9zYmhcW5eSIlW8QsLlbPqZLydZJ+7QlkV7FdJtGmsSiEGtTGgr5Z3b64ldbX3lTDSf CxbF+QxWK6lyHqrXni7qAhH2JmHD0rsA3ZqYHALRmPgHXPvK+8KcWrj1PpXOvaDsUhawvToZOUL tsvSoz7X3ZifjHnHPIDkZRNRXbVOm2RoK6d5hR7E++ggEPWytNQ== X-Google-Smtp-Source: AGHT+IHdeQPurC5JjEE1mnZpMOw7Ln1wx+M9e+yVSH+1HRHB5hGbdN8MMjYkUYbosTFf6LOPqp+9Aw== X-Received: by 2002:a05:600d:420d:b0:45d:cfee:7058 with SMTP id 5b1f17b1804b1-46fa9af9041mr183790895e9.22.1760448507926; Tue, 14 Oct 2025 06:28:27 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46fb482b9easm247833025e9.1.2025.10.14.06.28.27 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 06:28:27 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 3/5] webmin: patch CVE-2019-15642 Date: Tue, 14 Oct 2025 15:28:23 +0200 Message-ID: <20251014132825.1052635-3-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014132825.1052635-1-skandigraun@gmail.com> References: <20251014132825.1052635-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 13:28:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120606 Details: https://nvd.nist.gov/vuln/detail/CVE-2019-15642 Pick the patch mentioned in the nvm report. Signed-off-by: Gyorgy Sarvari --- ...es-cannot-contact-special-characters.patch | 26 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 27 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Object-names-cannot-contact-special-characters.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Object-names-cannot-contact-special-characters.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Object-names-cannot-contact-special-characters.patch new file mode 100644 index 0000000000..9abb02a6ae --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Object-names-cannot-contact-special-characters.patch @@ -0,0 +1,26 @@ +From 8470368e42af2b66a31a112299df6239fccf111e Mon Sep 17 00:00:00 2001 +From: Jamie Cameron +Date: Sat, 3 Aug 2019 22:41:37 -0700 +Subject: [PATCH] Object names cannot contact special characters + +CVE: CVE-2019-15642 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/df8a43fb4bdc9c858874f72773bcba597ae9432c] + +Signed-off-by: Gyorgy Sarvari +--- + web-lib-funcs.pl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl +index df673bb7..bbe154a9 100755 +--- a/web-lib-funcs.pl ++++ b/web-lib-funcs.pl +@@ -7102,7 +7102,7 @@ elsif ($v[0] eq 'REF') { + elsif ($v[0] eq 'UNDEF') { + $rv = undef; + } +-elsif ($v[0] =~ /^OBJECT\s+(.*)$/) { ++elsif ($v[0] =~ /^OBJECT\s+([A-Za-z0-9_:]+)$/) { + # An object hash that we have to re-bless + my $cls = $1; + $rv = { }; diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index 784e3b69b9..cc31ff35a7 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -21,6 +21,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://webmin.service \ file://0001-Escape-potentially-malicious-HTTP-headers.patch \ file://0001-HTML-escape-command-description.patch \ + file://0001-Object-names-cannot-contact-special-characters.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b" From patchwork Tue Oct 14 13:28:24 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72252 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35FA0CCD192 for ; Tue, 14 Oct 2025 13:28:40 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.web11.16370.1760448510743758900 for ; Tue, 14 Oct 2025 06:28:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=FmQWxmSK; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-46e29d65728so32044575e9.3 for ; Tue, 14 Oct 2025 06:28:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760448509; x=1761053309; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=sNnUYh1xRG3d4o1okE2uTI6ZUnbx423wdX+uZsQtFY8=; b=FmQWxmSKMTg0UWGSSeryuXuPpkT8aablpG0Kj1fPmatFovFPz3Gm+1RU3fUwQS05dm 0RKrEbmu/R0XjspCh+70KIpxjfZhflev0ig7WI8FYVkgd5tweLK8WZQuwiu8GUkMEG5L Yn4EalpRJrEYEKyTx4ra7V9DPAyiDKMQA9LZDWyC6TN4MMlHSuegaoBkXJ2wFtJBkIbJ mQ75SfIzE2cmlpupCyN4nKaII5SWyFWLgqixvu/tH3gLihx0CWfU3TFQ7Idi57HWnZIx Yq95AlZiod0RIXPuk4+W8fEG3I4RlqfBM4Ib1p+iLTQ189bspAdmYR/rgGBSRbZe3phU yBGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760448509; x=1761053309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=sNnUYh1xRG3d4o1okE2uTI6ZUnbx423wdX+uZsQtFY8=; b=cKWqziFCzmHF2sPy7MdJxa1HVCGeVuFw3u35oq8IVO2bPBj03ppq/PBhOvV2A3wYri uSD1PfUGhqRpWfbVe8qnS1W+sKx9C8mwLh6CTX7CUHNG3UWrdk2cILvHznprsZz3LfT1 TkPZKm4stISdPbSjestOwW9/40d+m2Wzy8TxnDYD2cVDWK3eAiz1ENsFDx4zfeP6Ak4X rqdKRcFTFA6S+fititsxan3Qd6us08Zg32GcBo6rmYuvI75PSXog2BzFFl5pfg3IZHEn 3fjsOsNyuoCHPkoPeN+WAoxPWRIP/GPC0oR4MkdJUj5C5kcXzTWf0C2N+0RnvwdKbecd Vnkg== X-Gm-Message-State: AOJu0YyoABdHn1tJ9hILdi0KkCyZAkH3cuxveehq8flXwaoveE+jcmA+ xfa5rMCE3YEX9XWMp0uJ/Atmi415HCKiojFIRnX4foBR4kGMsv346U5O5fw+vw== X-Gm-Gg: ASbGncspkt0NFicuMNPb836xU6VPGjxws3C5hGD/bSHVKGTh7/BhdkCZ/Nx8ptkUyTu mQ1t/o/J3jrKviWl69FlOttZ4S17Jgitgl3b3dQHKuufsHd81I6EEwqaQOBvojDRDkpdV12WcdC YcZZ+qFEuGcXzV7hd4v5ik/PA0KQ8ozpSg8DaZNAe/gW4eYxiJmeGCuKFGlawWJcEDhWPrSy4GG OZ2zSA9bjKnfiuq/wFnziejPeMq1DyftE4ATETIfoZhthM6jAufqSzGMXGtW1iP4MODbZzqckqK AqAtLPNDUCASQTAJjTl9kPLs+A7ozwA+BEo3IyH8zHiOgMHSj/l2SKalfRq1gyZe8F+fdboescA vYNcIXp9DHzGaBwG8YxqreJhoL/tHgvYy5YmDiLiqn82IfpG7+A== X-Google-Smtp-Source: AGHT+IFnjLVltew5HO3np2iOiccP1skq/BxnrgXclhWYTm208Vg10TyWpHWS3004fPkeUmvLLYGr6w== X-Received: by 2002:a05:600c:c096:b0:46e:2cfe:971c with SMTP id 5b1f17b1804b1-46fa9b937e1mr118916035e9.0.1760448508808; Tue, 14 Oct 2025 06:28:28 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46fb482b9easm247833025e9.1.2025.10.14.06.28.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 06:28:28 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 4/5] webmin: patch CVE-2022-0824 Date: Tue, 14 Oct 2025 15:28:24 +0200 Message-ID: <20251014132825.1052635-4-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014132825.1052635-1-skandigraun@gmail.com> References: <20251014132825.1052635-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 13:28:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120607 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0824 Pick the patch mentioned in the nvd report. Signed-off-by: Gyorgy Sarvari --- ...0001-Foreign-module-may-need-a-check.patch | 27 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 28 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch new file mode 100644 index 0000000000..8698030e82 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Foreign-module-may-need-a-check.patch @@ -0,0 +1,27 @@ +From 2659c2990427c587a49014abb5275aec0ea44c0a Mon Sep 17 00:00:00 2001 +From: Ilia Rostovtsev +Date: Sun, 20 Feb 2022 12:48:27 +0300 +Subject: [PATCH] Foreign module may need a check + +CVE: CVE-2022-0824 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/39ea464f0c40b325decd6a5bfb7833fa4a142e38] + +Signed-off-by: Gyorgy Sarvari +--- + web-lib-funcs.pl | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/web-lib-funcs.pl b/web-lib-funcs.pl +index bbe154a9..4bb2b0d6 100755 +--- a/web-lib-funcs.pl ++++ b/web-lib-funcs.pl +@@ -4669,7 +4669,8 @@ if ($module_name) { + } + + if ($module_name && !$main::no_acl_check && +- !defined($ENV{'FOREIGN_MODULE_NAME'}) && ++ (!defined($ENV{'FOREIGN_MODULE_NAME'}) || ++ defined($ENV{'FOREIGN_MODULE_SEC_CHECK'})) && + $main::webmin_script_type eq 'web') { + # Check if the HTTP user can access this module + if (!&foreign_available($module_name)) { diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index cc31ff35a7..d553c7530c 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -22,6 +22,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://0001-Escape-potentially-malicious-HTTP-headers.patch \ file://0001-HTML-escape-command-description.patch \ file://0001-Object-names-cannot-contact-special-characters.patch \ + file://0001-Foreign-module-may-need-a-check.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b" From patchwork Tue Oct 14 13:28:25 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gyorgy Sarvari X-Patchwork-Id: 72253 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35FEECCD194 for ; Tue, 14 Oct 2025 13:28:40 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.web11.16371.1760448511430182485 for ; Tue, 14 Oct 2025 06:28:31 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nXJkqzlX; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: skandigraun@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-46e34bd8eb2so54445495e9.3 for ; Tue, 14 Oct 2025 06:28:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760448510; x=1761053310; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:from:to:cc:subject:date:message-id :reply-to; bh=z9BV2Sob3Yaj8KKCPKUceBtrf+3oS+RxenkrrFCZinU=; b=nXJkqzlXETOd3AL2LPr8kXxO/E7/p3ZAdDUQZCUyWixga4s9MX/FquJZr77xtTxyCv 7d80/4fGvZRukwwgk65SVhq1BzxjtYlbcwanr1qR2w152c9UNocI5iCMgw1exCVC9gYw Ef9ZSgCBRwnvJ8Qf7+tB76CfJGrMRiA5FTu1WVqFHe4dsbgWnArB/J3KAX/ocQKo19VJ o7xx17JRSmxUtvdC+dGV21skrEhLlkOBFdjIk9uAwOm3FMqp1EXGMVwroWniFv7KtzP1 g4ce/wCboydQmbFde7ansVrE+Ox0JvdjEpAv/3KldcygHLn+iCIDtsaPkH/uISjcXPSf IHhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760448510; x=1761053310; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z9BV2Sob3Yaj8KKCPKUceBtrf+3oS+RxenkrrFCZinU=; b=ct+cJgFJhBpilrvzYY6KzIS7Q/k/tfOMwSZuYALxOFOvnbNcdcOYrQmDv4Ga0hwuhi o9tminfIr6oTKhJ80dsJhqq0hG6JbgwRsL6nlN8o1HiJ5YjZGXzs4KML8I1ah/HxUh5J OdnpNbcMMLw7SctnnzHcXUGxm7huk7GQfMMt0yrF9uScwoK122g8QI5SnONFtth2LBLU eweVpFZ5mz4/JZvCA/dO3iZUXqDcw/EELQXXdk7+1wFEhRJhFJjDPHYBks3oQWOMamR1 maQ++zqSKuKT1cnYpSF9+a6o3B4w3g8he3iTIGWa2ZHA4Oqgt5gA1UORW+5x7PPLbAwc wFgQ== X-Gm-Message-State: AOJu0YwVKcpGwYfeuA4mZ6TtsRGekfXqBm/eYZcZPzcQ1uG1YGkhRVfp vEslT0qOp13pzgmmiDs5BZPZXpT6fpuG06k4uhKD0YcTXPB6hjbSEBQvZ8+a9A== X-Gm-Gg: ASbGnctHh/HEG2WMv6Kv76FnMMihVGFs1GRS4HWT//CvS5dl2NOaBOiPeCLGhvF7EOz l2I0x7xgERfctEfWIYDx+UVaFFvcr/lXVqKg7lDpJi/MDunmwrfY4l44w10y7XmsBF2fd6qoUI6 8nRTqCaMDuxeQ4QonoYYWDAFmZj9OQccBD+nDXdH0xkzTGyHsiV6hy7eBhmlg9q88717asudP3Q Z/NZfuZdQljAlZQv/e03y51cVhHn2CVzc56nfgw/yFs3/oUYG2wbqjAkjY/zNY9nwinHcEfWe+R IFC7c0JDgaCURqdBRNyEqnmUPio+ZucIb/OViNZdqgrCklqe/Xwnw8P6YjShzsKP1+JqUYglpxu d0xspc/ZJMVzMba2t7xBgwHAQCP5MPS7f/t4l2hU= X-Google-Smtp-Source: AGHT+IG7cmzYlFuz54r3yceDB0tTkhO23k+B9f42aVSnJTir+Y2kYMXWXRYMtz6jtG8QsuEX9ThdmQ== X-Received: by 2002:a05:600d:41c2:b0:459:e398:ed89 with SMTP id 5b1f17b1804b1-46fa9a8f156mr167030645e9.1.1760448509547; Tue, 14 Oct 2025 06:28:29 -0700 (PDT) Received: from desktop ([51.154.145.205]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-46fb482b9easm247833025e9.1.2025.10.14.06.28.28 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 14 Oct 2025 06:28:29 -0700 (PDT) From: Gyorgy Sarvari To: openembedded-devel@lists.openembedded.org Subject: [meta-oe][kirkstone][PATCH 5/5] webmin: patch CVE-2022-0829 Date: Tue, 14 Oct 2025 15:28:25 +0200 Message-ID: <20251014132825.1052635-5-skandigraun@gmail.com> X-Mailer: git-send-email 2.51.0 In-Reply-To: <20251014132825.1052635-1-skandigraun@gmail.com> References: <20251014132825.1052635-1-skandigraun@gmail.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 14 Oct 2025 13:28:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120608 Details: https://nvd.nist.gov/vuln/detail/CVE-2022-0829 Pick the patch from the nvd report details. Signed-off-by: Gyorgy Sarvari --- ...issions-check-when-saving-allowed-cr.patch | 25 +++++++++++++++++++ .../recipes-webadmin/webmin/webmin_1.850.bb | 1 + 2 files changed, 26 insertions(+) create mode 100644 meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch diff --git a/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch b/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch new file mode 100644 index 0000000000..a1ab677bc9 --- /dev/null +++ b/meta-webserver/recipes-webadmin/webmin/files/0001-Add-missing-permissions-check-when-saving-allowed-cr.patch @@ -0,0 +1,25 @@ +From 15dd0e4e55579671c01e4808236beb4fe23e9eef Mon Sep 17 00:00:00 2001 +From: Jamie Cameron +Date: Sat, 19 Feb 2022 13:10:36 -0800 +Subject: [PATCH] Add missing permissions check when saving allowed cron users + +CVE: CVE-2022-0829 +Upstream-Status: Backport [https://github.com/webmin/webmin/commit/eeeea3c097f5cc473770119f7ac61f1dcfa671b9] + +Signed-off-by: Gyorgy Sarvari +--- + cron/save_allow.cgi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/cron/save_allow.cgi b/cron/save_allow.cgi +index 87bbe453..73df9a84 100755 +--- a/cron/save_allow.cgi ++++ b/cron/save_allow.cgi +@@ -4,6 +4,7 @@ + + require './cron-lib.pl'; + &ReadParse(); ++$access{'allow'} || &error($text{'allow_ecannot'}); + + &lock_file($config{cron_allow_file}); + &lock_file($config{cron_deny_file}); diff --git a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb index d553c7530c..78ab19601f 100644 --- a/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb +++ b/meta-webserver/recipes-webadmin/webmin/webmin_1.850.bb @@ -23,6 +23,7 @@ SRC_URI = "${SOURCEFORGE_MIRROR}/webadmin/webmin-${PV}.tar.gz \ file://0001-HTML-escape-command-description.patch \ file://0001-Object-names-cannot-contact-special-characters.patch \ file://0001-Foreign-module-may-need-a-check.patch \ + file://0001-Add-missing-permissions-check-when-saving-allowed-cr.patch \ " SRC_URI[md5sum] = "cd6ee98f73f9418562197675b952d81b"