Hello community,
here is the log from the commit of package openvas-administrator for
openSUSE:Factory checked in at 2013-11-13 09:44:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvas-administrator (Old)
and /work/SRC/openSUSE:Factory/.openvas-administrator.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvas-administrator"
Changes:
--------
---
/work/SRC/openSUSE:Factory/openvas-administrator/openvas-administrator.changes
2013-11-04 15:42:05.000000000 +0100
+++
/work/SRC/openSUSE:Factory/.openvas-administrator.new/openvas-administrator.changes
2013-11-13 09:44:59.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Nov 12 10:53:37 UTC 2013 - [email protected]
+
+- Update in 1.3.2
+ * Security fix for handling the authentication state in OAP.
+
+-------------------------------------------------------------------
Old:
----
openvas-administrator-1.3.1.tar.gz
New:
----
openvas-administrator-1.3.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvas-administrator.spec ++++++
--- /var/tmp/diff_new_pack.u0UDsM/_old 2013-11-13 09:45:00.000000000 +0100
+++ /var/tmp/diff_new_pack.u0UDsM/_new 2013-11-13 09:45:00.000000000 +0100
@@ -18,7 +18,7 @@
Name: openvas-administrator
-Version: 1.3.1
+Version: 1.3.2
Release: 2.2
License: GPL-2.0+
Group: Productivity/Networking/Security
++++++ openvas-administrator-1.3.1.tar.gz -> openvas-administrator-1.3.2.tar.gz
++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvas-administrator-1.3.1/CHANGES
new/openvas-administrator-1.3.2/CHANGES
--- old/openvas-administrator-1.3.1/CHANGES 2013-10-25 08:44:26.000000000
+0200
+++ new/openvas-administrator-1.3.2/CHANGES 2013-11-08 15:38:36.000000000
+0100
@@ -1,3 +1,28 @@
+openvas-administrator 1.3.2 (2013-11-08)
+
+This is the second maintenance release of the OpenVAS Administrator 1.3, the
+local and remote administrative tool for the Open Vulnerability Assessment
+System release 6 (OpenVAS-6).
+
+This is a security release addressing a very serious security bug and it is
highly
+recommended to update any installation of OpenVAS Administrator 1.3 with this
+release.
+
+A software bug in OpenVAS Administrator allowed an attacker to bypass the OAP
+authentication procedure. The attack vector was remotely available in case
+OpenVAS Administrator was listening on a public network interface. In case of
+successful attack, the attacker was able to create and modify users and could
+use the gained privileges to take control over an OpenVAS installation if the
+Scanner and/or Manager instances controlled by this Administrator instance were
+also listening on public network interfaces.
+
+Many thanks to everyone who has contributed to this release:
+Matthew Mundell.
+
+Main changes since 1.3.1:
+* Security fix for handling the authentication state in OAP.
+
+
openvas-administrator 1.3.1 (2013-10-25)
This is the first maintenance release of the OpenVAS Administrator 1.3, the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvas-administrator-1.3.1/CMakeLists.txt
new/openvas-administrator-1.3.2/CMakeLists.txt
--- old/openvas-administrator-1.3.1/CMakeLists.txt 2013-10-20
19:47:13.000000000 +0200
+++ new/openvas-administrator-1.3.2/CMakeLists.txt 2013-11-08
15:38:36.000000000 +0100
@@ -78,7 +78,7 @@
set (CPACK_TOPLEVEL_TAG "")
set (CPACK_PACKAGE_VERSION_MAJOR "1")
set (CPACK_PACKAGE_VERSION_MINOR "3")
-set (CPACK_PACKAGE_VERSION_PATCH "1${SVN_REVISION}")
+set (CPACK_PACKAGE_VERSION_PATCH "2${SVN_REVISION}")
set (CPACK_PACKAGE_VERSION
"${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
# Use this scheme for +betaN and +rcN releases:
#set (CPACK_PACKAGE_VERSION_PATCH "+beta1${SVN_REVISION}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvas-administrator-1.3.1/ChangeLog
new/openvas-administrator-1.3.2/ChangeLog
--- old/openvas-administrator-1.3.1/ChangeLog 2013-10-25 08:45:54.000000000
+0200
+++ new/openvas-administrator-1.3.2/ChangeLog 2013-11-08 15:38:36.000000000
+0100
@@ -1,3 +1,24 @@
+2013-11-08 Michael Wiegand <[email protected]>
+
+ Preparing for the 1.3.2 release.
+
+ * CHANGES: Updated.
+
+2013-11-08 Michael Wiegand <[email protected]>
+
+ * src/oap.c (client_state_t): Add CLIENT_VERSION_AUTHENTIC.
+ (oap_xml_handle_start_element): Use authentic state for GET_VERSION
+ when authenticated.
+ (oap_xml_handle_end_element): In GET_VERSION set client state
+ according to current state, otherwise the user is alway considered
+ authenticated after GET_VERSION. Patch by Matthew Mundell.
+
+2013-10-25 Jan-Oliver Wagner <[email protected]>
+
+ Post release version bump.
+
+ * CMakeLists.txt: Updated version number to 1.3.2.
+
2013-10-25 Jan-Oliver Wagner <[email protected]>
Preparing for the 1.3.1 release.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/openvas-administrator-1.3.1/src/oap.c
new/openvas-administrator-1.3.2/src/oap.c
--- old/openvas-administrator-1.3.1/src/oap.c 2013-10-20 19:47:13.000000000
+0200
+++ new/openvas-administrator-1.3.2/src/oap.c 2013-11-08 15:38:36.000000000
+0100
@@ -757,7 +757,8 @@
CLIENT_SYNC_FEED,
CLIENT_SYNC_SCAP,
CLIENT_SYNC_CERT,
- CLIENT_VERSION
+ CLIENT_VERSION,
+ CLIENT_VERSION_AUTHENTIC
} client_state_t;
/**
@@ -1215,7 +1216,7 @@
else if (strcasecmp ("GET_SETTINGS", element_name) == 0)
set_client_state (CLIENT_GET_SETTINGS);
else if (strcasecmp ("GET_VERSION", element_name) == 0)
- set_client_state (CLIENT_VERSION);
+ set_client_state (CLIENT_VERSION_AUTHENTIC);
else if (strcasecmp ("MODIFY_AUTH", element_name) == 0)
set_client_state (CLIENT_MODIFY_AUTH);
else if (enable_modify_settings
@@ -2659,11 +2660,15 @@
break;
case CLIENT_VERSION:
+ case CLIENT_VERSION_AUTHENTIC:
SEND_TO_CLIENT_OR_FAIL ("<get_version_response" " status=\"" STATUS_OK
"\"" " status_text=\"" STATUS_OK_TEXT "\">"
"<version preferred=\"yes\">1.1</version>"
"</get_version_response>");
- set_client_state (CLIENT_AUTHENTIC);
+ if (client_state == CLIENT_VERSION_AUTHENTIC)
+ set_client_state (CLIENT_AUTHENTIC);
+ else
+ set_client_state (CLIENT_TOP);
break;
default:
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
