On 2016-01-12 07:29, Guillaume Castagnino wrote:
Hi,
I have the same issue since last gnutls CVE fix on ubuntu (14.04):
http://launchpadlibrarian.net/233330701/gnutls26_2.12.23-12ubuntu2.3_2.12.23-12ubuntu2.4.diff.gz
The fix remove the fallback using extensions in certificate to
negotiate
cipher. This expose a bug in openvas library.
find attached my fix for openvas8. The problem is that the "SECURE"
priority string does not exists (see
http://www.gnutls.org/manual/html_node/Priority-Strings.html). I don’t
know why gnutls_priority_set_direct does not issues an error, but this
is the cause of the bug.
Bye !
Le mardi 12 janvier 2016 07:18:49 James Lay a écrit :
On Tue, 2016-01-12 at 15:01 +0100, Paula Gonzalez Muñoz wrote:
> What distribution is openvas installed at? How did you install it?
> How did you upgrade?
>
> Sent from my mobile device.
>
>
> El 12 ene. 2016 2:59 p. m., "Reindl Harald" <[email protected]>
>
> escribió:
> Am 12.01.2016 um 14:46 schrieb James Lay:
> Topic says it....after doing an upgrade from
> libgnutls26:amd64 to
> libgnutls-openssl27:amd64 I now get:
>
> Login failed. OMP service is down.
>
> openvasmd.log shows:
>
> lib serv:WARNING:2016-01-12 13h36.10 utc:1749:
> Failed
> to shake hands
> with peer: A TLS packet with unexpected length was
> received.
> lib serv:WARNING:2016-01-12 13h36.10 utc:1749:
> Failed
> to shutdown
> server socket
> md main:CRITICAL:2016-01-12 13h36.10 utc:1749:
> serve_client: failed to
> attach client session to socket 9
> lib serv:WARNING:2016-01-12 13h36.10 utc:1749:
> Failed to gnutls_bye:
> GnuTLS internal error.
>
> Besides downgrading, is there something I can look
> at
> to fix this?
> Thank you
>
> http://www.catb.org/esr/faqs/smart-questions.html#beprecise
>
>
> _______________________________________________
> Openvas-discuss mailing list
> [email protected]
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/o
> penvas-discuss>
> _______________________________________________
> Openvas-discuss mailing list
> [email protected]
> https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-d
> iscuss
From here:
https://launchpad.net/~mrazavi/+archive/ubuntu/openvas
Ubuntu 14.04....looks like I'm not the only one as I see others are
having the initial NVT cache rebuild issue. Thank you.
James
Those of you who absolutely need this to work (like me) you can attempt
the below...I would make sure you backup your systems before hand...so
far this has been successful in downgrading:
sudo apt-get update
sudo service openvas-gsa stop
sudo service openvas-manager stop
sudo service openvas-scanner stop
cd /var/cache/apt/archives/
sudo dpkg -i --force-downgrade libgnu*2.3*
sudo echo "libgnutls26 hold" | sudo dpkg --set-selections
sudo echo "libgnutls-openssl27 hold" | sudo dpkg --set-selections
Once the issues get resolved you can use the below to release and allow
libgnutls26 and libgnutls-openssl27 to upgrade:
sudo echo "libgnutls26 install" | sudo dpkg --set-selections
sudo echo "libgnutls-openssl27 install" | sudo dpkg --set-selections
So far so good...I've also sent the patch (thanks Guillaume!) to
Mohammad Razavi in the hopes he can update the ppa. Good luck...an
unpleasant surprise.
James
_______________________________________________
Openvas-discuss mailing list
[email protected]
https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
