<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">

<html lang="en">

<head>

<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">

<title>

GitLab

</title>

<style>img {

max-width: 100%; height: auto;

}

</style>

</head>

<body>

<div class="content">

<h3>

Chris Lamb pushed to branch master

at <a href="https://salsa.debian.org/reproducible-builds/reproducible-website">Reproducible Builds / reproducible-website</a>

</h3>

<h4>

Commits:

</h4>

<ul>

<li>

<strong><a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/baecbbefcc4fd0b88c989496721a30a23312a088">baecbbef</a></strong>

<div>

<span>by Chris Lamb</span>

<i>at 2019-09-06T11:50:53Z</i>

</div>

<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">2019-08: Make the Webmin link link to their homepage.

</pre>

</li>

</ul>

<h4>1 changed file:</h4>

<ul>

<li class="file-stats">

<a href="#334fe06b3e3b54f4637d878fe3f78630c377893e">

_reports/2019-08.md

</a>

</li>

</ul>

<h4>Changes:</h4>

<li id="334fe06b3e3b54f4637d878fe3f78630c377893e">

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/baecbbefcc4fd0b88c989496721a30a23312a088#334fe06b3e3b54f4637d878fe3f78630c377893e"><strong>_reports/2019-08.md</strong></a>

<hr>

<table class="code white" style="font-family: monospace; font-size: 90%;" bgcolor="#fff" width="100%" cellpadding="0" cellspacing="0">

<tr class="line_holder match" id="" style="line-height: 1.6;">

<td class="diff-line-num unfold js-unfold old_line" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">...</td>

<td class="diff-line-num unfold js-unfold new_line" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">...</td>

<td class="line_content match " style="padding-left: 0.5em; padding-right: 0.5em; color: rgba(0,0,0,0.3);" bgcolor="#fafafa">@@ -33,7 +33,7 @@ If you are interested in contributing to our project, please visit our [*Contrib</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

33

</td>

<td class="diff-line-num new_line" data-linenumber="33" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

33

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC33" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

34

</td>

<td class="diff-line-num new_line" data-linenumber="34" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

34

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC34" class="line" lang="markdown"><span class="p">[</span><span class="nv" style="color: #008080;">![</span><span class="p">](</span><span class="sx" style="color: #d14;">{{</span> <span class="nn" style="color: #555;">"/images/reports/2019-08/webmin.png#right"</span> | prepend: site.baseurl }})](http://www.webmin.com/)</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

35

</td>

<td class="diff-line-num new_line" data-linenumber="35" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

35

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC35" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder old" id="" style="line-height: 1.6;">

<td class="diff-line-num old old_line" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

36

</td>

<td class="diff-line-num new_line old" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #fac5cd; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#f9d7dc">

</td>

<td class="line_content old" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#fbe9eb">

<pre style="margin: 0;">-<span id="LC36" class="line" lang="markdown">A backdoor was found in <span class="p">[</span><span class="nv" style="color: #008080;">Webmin</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/<span class="idiff left right">exploit.html</span></span><span class="p">)</span> a popular web-based application used by sysadmins to remotely manage Unix-based systems. Whilst more details can be found on <span class="p">[</span><span class="nv" style="color: #008080;">upstream's dedicated exploit page</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/exploit.html</span><span class="p">)</span>, it appears that the build toolchain was compromised. Especially of note is that the exploit "did not show up in any Git diffs" and thus would not have been found via an audit of the source code. The backdoor would allow a remote attacker to execute arbitrary commands with superuser privileges on the machine running Webmin. Once a machine is compromised, an attacker could then use it to launch attacks on other systems managed through Webmin or indeed any other connected system. Techniques such as reproducible builds can help detect exactly these kinds of attacks that can lay dormant for years. (<span class="p">[</span><span class="nv" style="color: #008080;">LWN comments</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lwn.net/Articles/796951/</span><span class="p">)</span>)</span>

</pre>

</td>

</tr>

<tr class="line_holder new" id="" style="line-height: 1.6;">

<td class="diff-line-num new old_line" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

</td>

<td class="diff-line-num new new_line" data-linenumber="36" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #c7f0d2; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#ddfbe6">

36

</td>

<td class="line_content new" style="padding-left: 0.5em; padding-right: 0.5em;" bgcolor="#ecfdf0">

<pre style="margin: 0;">+<span id="LC36" class="line" lang="markdown">A backdoor was found in <span class="p">[</span><span class="nv" style="color: #008080;">Webmin</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/</span><span class="p">)</span> a popular web-based application used by sysadmins to remotely manage Unix-based systems. Whilst more details can be found on <span class="p">[</span><span class="nv" style="color: #008080;">upstream's dedicated exploit page</span><span class="p">](</span><span class="sx" style="color: #d14;">http://www.webmin.com/exploit.html</span><span class="p">)</span>, it appears that the build toolchain was compromised. Especially of note is that the exploit "did not show up in any Git diffs" and thus would not have been found via an audit of the source code. The backdoor would allow a remote attacker to execute arbitrary commands with superuser privileges on the machine running Webmin. Once a machine is compromised, an attacker could then use it to launch attacks on other systems managed through Webmin or indeed any other connected system. Techniques such as reproducible builds can help detect exactly these kinds of attacks that can lay dormant for years. (<span class="p">[</span><span class="nv" style="color: #008080;">LWN comments</span><span class="p">](</span><span class="sx" style="color: #d14;">https://lwn.net/Articles/796951/</span><span class="p">)</span>)</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

37

</td>

<td class="diff-line-num new_line" data-linenumber="37" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

37

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC37" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

38

</td>

<td class="diff-line-num new_line" data-linenumber="38" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

38

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC38" class="line" lang="markdown">In a talk titled <span class="p">[</span><span class="nv" style="color: #008080;">*There and Back Again, Reproducibly!*</span><span class="p">](</span><span class="sx" style="color: #d14;">https://cfp.linuxdev-br.net/2019/talk/VH9CCY/</span><span class="p">)</span> Holger Levsen and Vagrant Cascadian presented at the 2019 edition of the <span class="p">[</span><span class="nv" style="color: #008080;">Linux Developer Conference</span><span class="p">](</span><span class="sx" style="color: #d14;">https://linuxdev-br.net/</span><span class="p">)</span> in São Paulo, Brazil on Reproducible Builds.</span>

</pre>

</td>

</tr>

<tr class="line_holder" id="" style="line-height: 1.6;">

<td class="diff-line-num old_line" data-linenumber="39" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

39

</td>

<td class="diff-line-num new_line" data-linenumber="39" style="width: 35px; color: rgba(0,0,0,0.3); border-right-width: 1px; border-right-color: #f0f0f0; border-right-style: solid; padding: 0 5px;" align="right" bgcolor="#fafafa">

39

</td>

<td class="line_content" style="padding-left: 0.5em; padding-right: 0.5em;">

<pre style="margin: 0;"> <span id="LC39" class="line" lang="markdown"></span>

</pre>

</td>

</tr>

</table>

<br>

</li>

</div>

<div class="footer" style="margin-top: 10px;">

<p style="font-size: small; color: #777;">

—

<br>

<a href="https://salsa.debian.org/reproducible-builds/reproducible-website/commit/baecbbefcc4fd0b88c989496721a30a23312a088">View it on GitLab</a>.

<br>

You're receiving this email because of your account on salsa.debian.org.

If you'd like to receive fewer emails, you can

adjust your notification settings.

<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Commit","url":"https://salsa.debian.org/reproducible-builds/reproducible-website/commit/baecbbefcc4fd0b88c989496721a30a23312a088"}}</script>

</p>

</div>

</body>

</html>