Hello community,
here is the log from the commit of package openvas-manager for openSUSE:Factory checked in at 2013-11-13 09:45:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openvas-manager (Old)
and /work/SRC/openSUSE:Factory/.openvas-manager.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openvas-manager"
Changes:
--------
--- /work/SRC/openSUSE:Factory/openvas-manager/openvas-manager.changes 2013-11-04 15:42:28.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.openvas-manager.new/openvas-manager.changes 2013-11-13 09:45:04.000000000 +0100
@@ -1,0 +2,6 @@
+Tue Nov 12 10:44:56 UTC 2013 - johann.luce@wanadoo.fr
+
+- Update in 4.0.4
+ * Security fix for handling the authentication state in OMP.
+
+-------------------------------------------------------------------
Old:
----
openvas-manager-4.0.3.tar.gz
New:
----
openvas-manager-4.0.4.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ openvas-manager.spec ++++++
--- /var/tmp/diff_new_pack.jdvMoi/_old 2013-11-13 09:45:05.000000000 +0100
+++ /var/tmp/diff_new_pack.jdvMoi/_new 2013-11-13 09:45:05.000000000 +0100
@@ -17,7 +17,7 @@
Name: openvas-manager
-Version: 4.0.3
+Version: 4.0.4
Release: 5.1
Url: http://www.openvas.org
Source0: %{name}-%{version}.tar.gz
++++++ openvas-manager-4.0.3.tar.gz -> openvas-manager-4.0.4.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/CHANGES new/openvas-manager-4.0.4/CHANGES
--- old/openvas-manager-4.0.3/CHANGES 2013-10-21 21:56:16.000000000 +0200
+++ new/openvas-manager-4.0.4/CHANGES 2013-11-08 15:41:30.000000000 +0100
@@ -1,3 +1,28 @@
+openvas-manager 4.0.4 (2013-11-08)
+
+This is the fourth maintenance release of the openvas-manager 4.0 module for the
+Open Vulnerability Assessment System release 6 (OpenVAS-6). The OpenVAS Manager
+is the central management service between the actual security scanner and
+various user clients.
+
+This is a security release addressing a serious security bug and it is highly
+recommended to update any installation of OpenVAS Manager 4.0 with this
+release.
+
+A software bug in OpenVAS Manager allowed an attacker to bypass the OMP
+authentication procedure. The attack vector was remotely available in case
+OpenVAS Manager was listening on a public network interface. In case of
+successful attack, the attacker gained partial rights to execute OMP commands.
+The bypass authentication was, however, incomplete and several OMP commands
+failed to execute properly.
+
+Many thanks to everyone who has contributed to this release:
+Matthew Mundell.
+
+Main changes since 4.0.3:
+* Security fix for handling the authentication state in OMP.
+
+
openvas-manager 4.0.3 (2013-10-21)
This is the third maintenance release of the openvas-manager 4.0 module for the
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/CMakeLists.txt new/openvas-manager-4.0.4/CMakeLists.txt
--- old/openvas-manager-4.0.3/CMakeLists.txt 2013-10-20 19:43:31.000000000 +0200
+++ new/openvas-manager-4.0.4/CMakeLists.txt 2013-11-08 15:41:30.000000000 +0100
@@ -79,7 +79,7 @@
set (CPACK_PACKAGE_VERSION_MINOR "0")
# Use this scheme for stable releases:
-set (CPACK_PACKAGE_VERSION_PATCH "3${SVN_REVISION}")
+set (CPACK_PACKAGE_VERSION_PATCH "4${SVN_REVISION}")
set (CPACK_PACKAGE_VERSION "${CPACK_PACKAGE_VERSION_MAJOR}.${CPACK_PACKAGE_VERSION_MINOR}.${CPACK_PACKAGE_VERSION_PATCH}")
# Use this scheme for +betaN and +rcN releases:
#set (CPACK_PACKAGE_VERSION_PATCH "+beta1${SVN_REVISION}")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/openvas-manager-4.0.3/ChangeLog new/openvas-manager-4.0.4/ChangeLog
--- old/openvas-manager-4.0.3/ChangeLog 2013-10-21 21:57:07.000000000 +0200
+++ new/openvas-manager-4.0.4/ChangeLog 2013-11-08 15:41:30.000000000 +0100
@@ -1,3 +1,21 @@
+2013-11-08 Michael Wiegand