Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Mittwoch, 7. November 2007, Javier Fernandez-Sanguino wrote: 2007/11/6, Jan-Oliver Wagner [EMAIL PROTECTED]: | ...done | 1597 FREE plugins that depend on NON-FREE found | Please fix this and rerun the script of course, the number is incorrect if run in a SVN checkout. ¿Why is it incorrect? e.g.: ... Checking for use of backport.inc... 31 files depend on this NON-FREE include file: ../scripts/.svn/text-base/php_split_mime.nasl.svn-base ../scripts/.svn/text-base/apache_conn_block.nasl.svn-base ../scripts/.svn/text-base/openssh_channel.nasl.svn-base ../scripts/.svn/text-base/samihttp_1_0_4.nasl.svn-base ../scripts/.svn/text-base/apache_log_injection.nasl.svn-base ../scripts/.svn/text-base/openssh_uselogin_environment.nasl.svn-base ../scripts/.svn/text-base/apache_mod_proxy_buff_overflow.nasl.svn-base ../scripts/.svn/text-base/apache_mod_include_priv_escalation.nasl.svn-base ../scripts/.svn/text-base/mod_ssl_hook_functions_format_string_vuln.nasl.svn-base ../scripts/.svn/text-base/ssh_forwarding.nasl.svn-base ../scripts/.svn/text-base/openssh_afs.nasl.svn-base ../scripts/.svn/text-base/apache_access_wo_netmask.nasl.svn-base ../scripts/.svn/text-base/apache_htpasswd_overflow.nasl.svn-base ../scripts/.svn/text-base/apache_input_header_folding_dos.nasl.svn-base ../scripts/.svn/text-base/php_strip_tags_memory_limit_vuln.nasl.svn-base ../scripts/.svn/entries ../scripts/php_split_mime.nasl ../scripts/apache_conn_block.nasl ../scripts/openssh_channel.nasl ../scripts/samihttp_1_0_4.nasl ../scripts/apache_log_injection.nasl ../scripts/openssh_uselogin_environment.nasl ../scripts/apache_mod_proxy_buff_overflow.nasl ../scripts/apache_mod_include_priv_escalation.nasl ../scripts/mod_ssl_hook_functions_format_string_vuln.nasl ../scripts/openssh_afs.nasl ../scripts/ssh_forwarding.nasl ../scripts/apache_access_wo_netmask.nasl ../scripts/apache_htpasswd_overflow.nasl ../scripts/apache_input_header_folding_dos.nasl ../scripts/php_strip_tags_memory_limit_vuln.nasl ...done ... Next, what am I asked to fix here? Implement the inc files? ;-) Well, I have *removed* them in the Debian nessus-plugins package or, in some cases, replaced them with *older* versions which did not include the inc files. With some grep+find magic you can do this in a semi-automatic way (by running the script under different releases and finding which scripts do not show up as depending on unavailable inc files in those). yes, I fear we need to go through the scripts and do this work. It is probably best to organize this process in a way that certain groups of scripts are adressed and being worked on. I choose the Debian local security checks as a group to get them running as good as possible. And they do, based on the debian_DSA* from nessus 2.2.10 and support nasl and inc files I assembled from older version, were contributed by Thomas or wrote myself. You might want to take a look at the Debian patches of nessus-plugins 2.2.10 (available at packages.debian.org) to see which scripts I replaced with older versions. I have these packages over here and always use them for comparison puposes. IMHO this has more informative character than a license problem. Am I wrong? If you leave these in and distribute them whenever the OpenVAS server starts it will complain (when loading the NASL files) that it does not find the .inc files X, Y or Z. Since the NASL scripts will not be enabled (and run) in the server it makes more sense to either remove them or not distribute them (excluding them from the tar.gz that gets built but keeping them in the sources) I'd vote for leaving them in as long as the we have not reached 1.0.0 of openvas-plugins. But maybe even keep them in but not sign them. Or clearly communicate which groups of NVTs we have verified to be complete. We have several options apparently. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
2007/11/7, Jan-Oliver Wagner [EMAIL PROTECTED]: On Mittwoch, 7. November 2007, Javier Fernandez-Sanguino wrote: 2007/11/6, Jan-Oliver Wagner [EMAIL PROTECTED]: | ...done | 1597 FREE plugins that depend on NON-FREE found | Please fix this and rerun the script of course, the number is incorrect if run in a SVN checkout. ¿Why is it incorrect? e.g.: ... Checking for use of backport.inc... 31 files depend on this NON-FREE include file: ../scripts/.svn/text-base/php_split_mime.nasl.svn-base That's a bug in the script, it should skip .svn directories. I will try to fix that. Regards Javier ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Dienstag, 6. November 2007, Jan-Oliver Wagner wrote: On Freitag, 2. November 2007, Jan-Oliver Wagner wrote: On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: Since OpenVAS is based on the 2.2.9 release and, specially, on the Debian packages I wrote for that release, it might be worthwhile to do this review too. The output of the 'audit-plugins' script might be useful and could be a start point to cleaning the scripts/ dir of non-free stuff. here is the result we have to work on (there might be some false positves though): After some cleanup this remains: Looking for non-free plugins... NON-FREE plugin backport.inc found NON-FREE plugin default_account.inc found NON-FREE plugin http_keepalive.inc found NON-FREE plugin imap_func.inc found NON-FREE plugin misc_func.inc found NON-FREE plugin nfs_func.inc found NON-FREE plugin pop3_func.inc found NON-FREE plugin smb_file_funcs.inc found NON-FREE plugin smb_nt.inc found NON-FREE plugin ssl_funcs.inc found NON-FREE plugin telnet_func.inc found NON-FREE plugin url_func.inc found 12 NON-FREE plugins found Each of these will deactivate some or even many of the nasl scripts when removed. Well, we do not have an option right now, so these inc-files have to be removed from the SVN repository. done now. -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: Since OpenVAS is based on the 2.2.9 release and, specially, on the Debian packages I wrote for that release, it might be worthwhile to do this review too. The output of the 'audit-plugins' script might be useful and could be a start point to cleaning the scripts/ dir of non-free stuff. here is the result we have to work on (there might be some false positves though): Looking for non-free plugins... NON-FREE plugin sasser_virus.nasl found NON-FREE plugin scan_info.nasl found NON-FREE plugin ssh_settings.nasl found NON-FREE plugin zope_multiple_flaws.nasl found NON-FREE plugin aix.inc found NON-FREE plugin backport.inc found NON-FREE plugin crypto_func.inc found NON-FREE plugin default_account.inc found NON-FREE plugin dump.inc found NON-FREE plugin http_keepalive.inc found NON-FREE plugin imap_func.inc found NON-FREE plugin misc_func.inc found NON-FREE plugin nfs_func.inc found NON-FREE plugin pop3_func.inc found NON-FREE plugin rpm.inc found NON-FREE plugin smb_file_funcs.inc found NON-FREE plugin smb_nt.inc found NON-FREE plugin solaris.inc found NON-FREE plugin ssl_funcs.inc found NON-FREE plugin telnet_func.inc found NON-FREE plugin url_func.inc found 21 NON-FREE plugins found Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss
Re: [Openvas-discuss] Revision of non-free plugins in OpenVAS' SVN
Hello Javier, thanks for your license audit scripts! On Donnerstag, 1. November 2007, Javier Fernández-Sanguino Peña wrote: If somebody wants to get Tenable to add proper license headers to *all* of their plugins (nasl) and include files conforming to what has been done in the past (GPL releases of the nessus-plugins package and GPL feeds) I can provide them with 4 year's worth of code (from the 1.3.1 to present) to dig in and sustain his/her arguments with. I don't think this is really worth it to seek for an overall solution. Maybe it will be interesting for single scripts, if at all. Best Jan -- Dr. Jan-Oliver WagnerIntevation GmbH, Osnabrück Amtsgericht Osnabrück, HR B 18998 http://www.intevation.de/ Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner ___ Openvas-discuss mailing list Openvas-discuss@wald.intevation.org http://lists.wald.intevation.org/mailman/listinfo/openvas-discuss