A developer of some Ruby Gems pulled the code as a statement against certain entities (Department of Homeland Security — DHS) ultimately using the code. Chef gets owned in the process.
ZDNet has a good rundown of the incident:
https://www.zdnet.com/article/developer-takes-down-ruby-library-after-he-finds-out-ice-was-using-it/
It seems that developers at chef may have used an old copy of the dev's code to get things back up and running again, which seems like exactly the wrong approach.
(Score: 1, Informative) by Anonymous Coward on Monday September 23 2019, @05:33AM (4 children)
From what I've read [soylentnews.org], webmin is a particularly good choice if you want to outsource your server administration or allow multiple people to do so.
(Score: 1, Touché) by Anonymous Coward on Monday September 23 2019, @06:56AM (2 children)
Just so. Especially if you don't care *which* "multiple people" have such access, as Webmin is notoriously insecure.
cf. https://www.google.com/search?q=webmin+security+issues [google.com]
(Score: 0) by Anonymous Coward on Tuesday September 24 2019, @06:28AM (1 child)
You obviously didn't notice the first part of that comment linked to a story titled "Webmin Backdoored for Over a Year."
(Score: 0) by Anonymous Coward on Tuesday September 24 2019, @06:54AM
I did not. But that doesn't invalidate my post. In fact, I think it dovetailed nicely with GP's.
What's more, I upmodded GP once I saw the posting to which the link pointed.
(Score: 2) by RS3 on Wednesday September 25 2019, @05:40AM
Only if you allow access to it from the outside. I run servers on non-routeable address subnets, and only allow webmin access from specific internal IP addresses.
That said, I don't have, nor have ever, deployed webmin ongoing- just tried it from time-to-time, and frankly I don't like what it does to my config files. I wouldn't mind if it would just edit or add certain specific parameters, but it rewrites the whole thing, so bye-bye.