Hi, i'm having some problems with php in my openvas reports. The thing is that for instance, Ubuntu LTS systems, doesn't change its php version during its hole life, so openvas reports me a lot of vulnerabilities related to the php version. But most of the vulnerabilites has been fixed by the ubuntu team, so they're false positives after all.
I've run openvas to this two VMs: 1-A vm with Ubuntu 8.04 LTS without any update, running PHP 5.2.4-2ubuntu5. 2-A vm with Ubuntu 8.04 LTS totally updated, running PHP 5.2.4-2ubuntu5.25. Both tests reported exactly the same PHP warnings. I've checked all the CVEs involved in these warnings and all of them has been patched in the latest php version (5.2.4-2ubuntu5.25). I've tried nexpose too and it has the same behaviour, i also tried nessus and it really dissapointed me... nessus didn't show any php warning at all. I'd like to reduce this false positives. I assume this happens because openvas is just checking for the php version (5.2.4), and it's not using the rest of the information (2ubuntu.5.25). I also imagine, that every distribution has its own way for naming its updates, so it can't be easy to support all of them. Is there any way we could make this tests more specific? I mean, if i had certain information for instance "Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5 with Suhosin...." i could search somewhere (maybe in the ubuntu CVE tracker? or a local db) wich of the vulnerabilites found in the PHP 5.2.4 version weren't patched in this particular version 5.2.4-2ubuntu5, and report that. I don't know if i was clear enough, but i did my best :D. -- Pavlik Juan José
_______________________________________________ Openvas-discuss mailing list [email protected] http://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
