[Openvas-announce] OpenVAS Manager 2.0.3 released

Michael Wiegand michael.wiegand at greenbone.net
Fri Apr 15 15:53:42 CEST 2011


Hello,

The OpenVAS developers are happy to announce the release of OpenVAS
Manager 2.0.3. This is the third maintenance release of the
openvas-manager 2.0 module for the Open Vulnerability Assessment System
release 4 (OpenVAS-4). The OpenVAS Manager is the central management
service between the actual security scanner and various user clients.

This release fixes a severe security issue discovered after the release
of openvas-manager 2.0.2. By crafting a special report format plugin,
and knowing about the operating system on which OpenVAS Manager is
running, a rogue user was able to upload the plugin and execute
arbitrary code with the privileges of the user running the OpenVAS
Manager.

This release enforces strict permissions on sensitive OpenVAS Manager
files and will drop privileges when executing report format plugins if
it is running with potentially dangerous privileges. Furthermore, it
forces report formats to be trusted before executing them.

We strongly recommended upgrading existing installations of OpenVAS-4 to
openvas-manager 2.0.3.

Many thanks to everyone who has contributed to this release:
Henri Doreau, Matthew Mundell, Michael Wiegand and Jan-Oliver Wagner.

Main changes since 2.0.2:
* Enforces strict permissions on sensitive OpenVAS Manager files.
* Drop privileges before executing report format plugins if running with
  elevated privileges.
* Ensures report formats are trusted before executing them.

The source tarball for this release is available for download from the
OpenVAS website at http://www.openvas.org/. Binary packages for major
GNU/Linux distributions by third parties are expected in the following
weeks.

Regards,

Michael Wiegand

-- 
Michael Wiegand |  Greenbone Networks GmbH  |  http://www.greenbone.net/
Neuer Graben 17, 49074 Osnabrück, Germany | AG Osnabrück, HR B 202460
Executive Directors: Lukas Grunwald, Dr. Jan-Oliver Wagner



More information about the Openvas-announce mailing list