Updated the setup.sh script to use MD5 password encryption by default, on systems where Perl supports it.
Fixed a security hole in the maketemp.pl script, used to create the /tmp/.webmin directory at install time. If an un-trusted user creates this directory before Webmin is installed, he could create in it a symbolic link pointing to a critical file on the system, which would be overwritten when Webmin writes to the link filename (CVE bug CAN-2004-0559).
When PAM is used for Unix authentication, expired passwords are now detected and the user is prompted to select a new password (if this feature is enabled on the Webmin Configuration module).
Make all functions in ui-lib.pl themable, allowing themes to have more detailed control over modules that make use of this library.
Updated all modules to call ui_print_header instead of calling header and printing <hr>, so that themes can avoid the <hr>. Also updated the MSC theme to do this.
When installing a module from the command line, by it will be granted to the same users who receive new modules when Webmin is upgraded. By default, this is root and admin.
Added basic support for multiple root directories, so that Webmin modules can be separated into core and third-party on the filesystem.
When installing or upgrading Webmin, password timeouts are now enabled by default. This protects against brute-force password guessing attacks.
All subheadings have been reduced in size when using the default MSC theme.
All modules now use a new API for writing to configuration files, which ensures that the file does not get written to or truncated if the system is out of disk space.
On Solaris systems that support RBAC, available modules and access rights can now be derived from RBAC for selected users. This can be enabled on a per-user or per-module basic in the Webmin Users module.
Added a new Global ACL control option to limit a user to read-only mode. This does not yet support all modules, but in those that are supported any changes the user makes will simply not take effect.
Restarting of Webmin is now much faster in some modules that do not need a full configuration reload, due to the addition of a function that justs tells miniserv.pl to re-read its config file.
Added basic support for running Webmin on Windows system with ActiveState Perl installed. The new setup.pl install script must be used, as the setup.sh shell script cannot run on Windows.
Fixed a bug that could allow a remote attack if the option to use full PAM conversations is enabled.
Improved the Webmin RPM to not lose the /etc/webmin directory when upgrading from an RPM by another vendor (like Mandrake or DAG).
Updated almost all modules that use tables to use the new ui_columns functions. This allows themes to do highlighting when a row is moved over or selected.
Added a new ‘Simple Blue’ theme, which uses fewer images and does table row highlighting.
Changed the way that Webmin log diff files are stored, so that they are categorized by action and not all in one huge directory.
Module configuration files can now be named based on the real operating system types, such as config-Ubuntu-Linux, which would be used in preference to config-debian-linux.
When a large file is uploaded, it is no longer read into memory by miniserv.pl.
Update the code that fetches mirror sites from Sourceforge, to handle their new website design.
Changed the default theme for all installs to the new framed blue theme.
Updated all rows of links (like select all, invert selection, add something) above tables to use a separator between links.
Added caching for sudo capable user checks, to avoid excessive slow calls to sudo.
Fixed a memory leak when running under ActiveState Perl on Windows.