The main difference between the Webmin RCE and similar build infrastructure attacks in proprietary tools is that since Webmin is FOSS, it has the opportunity to use Reproducible Builds so we all can detect this kind of attack in the future.

@kyle on the bad side, the backdoor was unknown by the developers for over a year (they knew there was a vulnerability but thought it was their code). On the good, and FOSS enabled side, it was detected and it was only in the Source Forge repository, not the Github repository. And it's fixed now, and people who look for that sort of thing are aware of another vulnerability.

Sign in to participate in the conversation
Librem Social

Librem Social is an opt-in public network. Messages are shared under Creative Commons BY-SA 4.0 license terms. Policy.

Stay safe. Please abide by our code of conduct.

(Source code)

image/svg+xml Librem Chat image/svg+xml