Hello community, here is the log from the commit of package openvas-manager for openSUSE:Factory checked in at 2013-11-13 09:45:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/openvas-manager (Old) and /work/SRC/openSUSE:Factory/.openvas-manager.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvas-manager" Changes: -------- --- /work/SRC/openSUSE:Factory/openvas-manager/openvas-manager.changes 2013-11-04 15:42:28.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.openvas-manager.new/openvas-manager.changes 2013-11-13 09:45:04.000000000 +0100 @@ -1,0 +2,6 @@ +Tue Nov 12 10:44:56 UTC 2013 - [email protected] + +- Update in 4.0.4 + * Security fix for handling the authentication state in OMP. + +------------------------------------------------------------------- Old: ---- openvas-manager-4.0.3.tar.gz New: ---- openvas-manager-4.0.4.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ openvas-manager.spec ++++++ --- /var/tmp/diff_new_pack.jdvMoi/_old 2013-11-13 09:45:05.000000000 +0100 +++ /var/tmp/diff_new_pack.jdvMoi/_new 2013-11-13 09:45:05.000000000 +0100 @@ -17,7 +17,7 @@ Name: openvas-manager -Version: 4.0.3 +Version: 4.0.4 Release: 5.1 Url: http://www.openvas.org Source0: %{name}-%{version}.tar.gz ++++++ openvas-manager-4.0.3.tar.gz -> openvas-manager-4.0.4.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/CHANGES new/openvas-manager-4.0.4/CHANGES --- old/openvas-manager-4.0.3/CHANGES 2013-10-21 21:56:16.000000000 +0200 +++ new/openvas-manager-4.0.4/CHANGES 2013-11-08 15:41:30.000000000 +0100 @@ -1,3 +1,28 @@ +openvas-manager 4.0.4 (2013-11-08) + +This is the fourth maintenance release of the openvas-manager 4.0 module for the +Open Vulnerability Assessment System release 6 (OpenVAS-6). The OpenVAS Manager +is the central management service between the actual security scanner and +various user clients. + +This is a security release addressing a serious security bug and it is highly +recommended to update any installation of OpenVAS Manager 4.0 with this +release. + +A software bug in OpenVAS Manager allowed an attacker to bypass the OMP +authentication procedure. The attack vector was remotely available in case +OpenVAS Manager was listening on a public network interface. In case of +successful attack, the attacker gained partial rights to execute OMP commands. +The bypass authentication was, however, incomplete and several OMP commands +failed to execute properly. + +Many thanks to everyone who has contributed to this release: +Matthew Mundell. + +Main changes since 4.0.3: +* Security fix for handling the authentication state in OMP. + + openvas-manager 4.0.3 (2013-10-21) This is the third maintenance release of the openvas-manager 4.0 module for the diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/CMakeLists.txt new/openvas-manager-4.0.4/CMakeLists.txt --- old/openvas-manager-4.0.3/CMakeLists.txt 2013-10-20 19:43:31.000000000 +0200 +++ new/openvas-manager-4.0.4/CMakeLists.txt 2013-11-08 15:41:30.000000000 +0100 @@ -79,7 +79,7 @@ set (CPACK_PACKAGE_VERSION_MINOR "0") # Use this scheme for stable releases: -set (CPACK_PACKAGE_VERSION_PATCH "3${SVN_REVISION}") +set (CPACK_PACKAGE_VERSION_PATCH "4${SVN_REVISION}") set (CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}") # Use this scheme for +betaN and +rcN releases: #set (CPACK_PACKAGE_VERSION_PATCH "+beta1${SVN_REVISION}") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/ChangeLog new/openvas-manager-4.0.4/ChangeLog --- old/openvas-manager-4.0.3/ChangeLog 2013-10-21 21:57:07.000000000 +0200 +++ new/openvas-manager-4.0.4/ChangeLog 2013-11-08 15:41:30.000000000 +0100 @@ -1,3 +1,21 @@ +2013-11-08 Michael Wiegand <[email protected]> + + Preparing the openvas-manager 4.0.4 release. + + * CHANGES: Updated. + +2013-11-08 Michael Wiegand <[email protected]> + + * src/omp.c (omp_xml_handle_end_element): In GET_VERSION use correct + state in condition, otherwise the user is always considered + authenticated after GET_VERSION. Patch by Matthew Mundell. + +2013-10-21 Jan-Oliver Wagner <[email protected]> + + Post release version bump. + + * CMakeLists.txt: Update version number to 4.0.4. + 2013-10-21 Jan-Oliver Wagner <[email protected]> Preparing the openvas-manager 4.0.3 release. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/src/omp.c new/openvas-manager-4.0.4/src/omp.c --- old/openvas-manager-4.0.3/src/omp.c 2013-10-20 19:43:28.000000000 +0200 +++ new/openvas-manager-4.0.4/src/omp.c 2013-11-08 15:41:30.000000000 +0100 @@ -10918,7 +10918,7 @@ " status_text=\"" STATUS_OK_TEXT "\">" "<version>4.0</version>" "</get_version_response>"); - if (client_state) + if (client_state == CLIENT_GET_VERSION_AUTHENTIC) set_client_state (CLIENT_AUTHENTIC); else set_client_state (CLIENT_TOP); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
