A CVE has been assigned for an issue fixed upstream in openvas-manager: http://openwall.com/lists/oss-security/2014/12/03/1 The issue is fixed upstream in 4.0.6 and 5.0.7: http://www.openvas.org/OVSA20141128.html Guillaume has requested a freeze push for Cauldron. Mageia 4 is also affected. Reproducible: Steps to Reproduce:
Updated packages uploaded for Mageia 4. Advisory: ======================== Updated openvas-manager packages fixes security vulnerability: It has been identified that OpenVAS Manager before 4.0.6 is vulnerable to sql injections due to a improper handling of the timezone parameter in modify_schedule OMP command. It has been identified that this vulnerability may allow read-access via sql for authorized user account which have permission to modify schedule objects (CVE-2014-9220). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9220 http://www.openvas.org/OVSA20141128.html http://openwall.com/lists/oss-security/2014/12/03/1 ======================== Updated package in core/updates_testing: ======================== openvas-libraries-6.0.3-1.mga4 libopenvas6-6.0.3-1.mga4 libopenvas-devel-6.0.3-1.mga4 openvas-manager-4.0.6-1.mga4 from SRPMS: openvas-libraries-6.0.3-1.mga4.src.rpm openvas-manager-4.0.6-1.mga4.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
MGA4-64 on HP Probook 6555b KDE. Installing these packages went OK. I was looking for a way to do a minimal test, but it seems this is not a complete installation of openvas. E.g. openvassd is missing. Is that OK for now?
CC: (none) => herman.viaene
(In reply to Herman Viaene from comment #2) > MGA4-64 on HP Probook 6555b KDE. > Installing these packages went OK. I was looking for a way to do a minimal > test, but it seems this is not a complete installation of openvas. E.g. > openvassd is missing. Is that OK for now? Looking at what I can find of this package(s) the openvas.org project looks more to me like a career then a test. Unless Clair thinks otherwise this may be one of those cases where we insure that the package(s) install, then updates from the package(s) in the update_testing repo install cleanly rather then perform any kind of specific test. I do not see an openvassd package anywhere in the repo.
CC: (none) => wilcal.int
(In reply to William Kenney from comment #3) > I do not see an openvassd package anywhere in the repo. It's part of the openvas-scanner package (urpmf is your friend).
(In reply to David Walser from comment #4) > It's part of the openvas-scanner package (urpmf is your friend). Is there anykind of a simple command to make it do anything? Just to make sure it works? [root@localhost wilcal]# openvas-scanner bash: openvas-scanner: command not found openvas-scanner.service is there but not running and I can't get it to run and do something.
Don't worry too much about it. It's unmaintained and it appear the install section of the spec doesn't create the conf correctly which prevents it from starting. There is no delay before restarting when it fails so it loops and is then retarded by systemd for restarting too quickly. Even replacing the @@ variables in the conf, it still complains. As long as this updates cleanly we can OK it.
In VirtualBox, M4, KDE, 32-bit Package(s) under test: openvas-manager libopenvas6 default install of openvas-manager openvas-scanner & libopenvas6 [root@localhost wilcal]# urpmi openvas-manager Package openvas-manager-4.0.2-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi openvas-scanner Package openvas-scanner-3.4.0-2.mga4.i586 is already installed [root@localhost wilcal]# urpmi libopenvas6 Package libopenvas6-6.0.0-2.mga4.i586 is already installed openvas-manager openvas-scanner & libopenvas6 install without error. install openvas-manager & libopenvas6 from updates_testing [root@localhost wilcal]# urpmi openvas-manager Package openvas-manager-4.0.6-1.mga4.i586 is already installed [root@localhost wilcal]# urpmi libopenvas6 Package libopenvas6-6.0.3-1.mga4.i586 is already installed openvas-manager & libopenvas6 install without error. No update to openvas-scanner Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64
This is good to go. Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-32-OK MGA4-64-OKCC: (none) => sysadmin-bugs
Bug 14938 created for openvas-server
See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=14938
Advisory uploaded.
Whiteboard: MGA4-32-OK MGA4-64-OK => advisory MGA4-32-OK MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGASA-2015-0001.html
Status: NEW => RESOLVEDResolution: (none) => FIXED
URL: (none) => http://lwn.net/Vulnerabilities/628617/