openvas-scanner 22.4.0

22.4.0 - 2022-07-18

Added

• smoketest for openvas-nasl-lint (#1125) 0122d0d6
• authenticator for gcm/ccm en- and decryption ad75ffe1
• openvas-nasl-lint informs about include error on function calls 6e3a09ff
• smb_cmac_aes_signature, smb_gmac_aes_signature 45d777c5
• aes_mac_gcm for SMBv3.1.1 b09e301e
• SHA512 09e7f95d
• aes-256 ccm and gcm algorithm for en- and decryption 27a36a49
• support for MAC_CMAC_AES (AES-128/192/256-CMAC) hash function 1574628a
• SMB3KDF for SMB3 support b42420d7
• aes128-gcm decryption b7fb98aa
• aes128-CCM en- and decryption a3dd09a7
• possibility to fallback to LEGACY:%COMPAT:%UNSAFE_RENEGOTIATION 57a1fd65
• support for nasl snmp getnext (#1047) 0bbf0470
• Warning on nasl_send when UDP payload may too large and get_mtu e64e5f6d
• Extend nasl_ssh_shell_read() (#964) be5a0af8
• Add nasl function nasl_send_arp_request(). (#939) d1a7c6bf
• wait for notus to finish (#917) 4abc01f7
• Add function to get the local mac address (#922) b85698bd
• Notus integration (#903) 5343d87b
• Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake. (#889) 641ab331

Removed

• wincmd (winexe) dependency (#1074) 1c4bcf7b
• remove MD5 support from feed integrity check (#1059) 893c2b2e

Changed

• smb_gmac_aes_signature add IV d1fd8807
• encrypt functin can also decrypt 66d59377
• extend nasl_wmi_connect*() functions. (#1073) fc0f08b3
• nasl linter error count message (#1060) 46b3c2c1
• Use sha256sum instead of md5 for checks (#1056) d19c7e2e
• consider a malformed regex as a nasl parse error for built-in RE_MATCH and RE_NOMATCH (#1057) 986f2c67
• Check for malloc_trim() support. (#1054) b8d22c4b
• extended the nasl functions ereg(), egrep(), eregmatch(). (#1044) 30915be8
• support error recovery during nasl parsing (#1042) b55ffd58
• remove unnecessary variable in nasl/CMakeLists.txt (#1045) 28724866
• handle Fatal alert during handshake. (#1035) 21680c31
• Don't wrap-up the scan. (#1030) f1e8f208
• key for notus package list a3302f4d
• extend cert_query() nasl function to get the public key algorithm (#995) 9b1925b4
• Only log SSL/TLS failure once per script dfe74735
• Make OPENVAS_ENCAPS_TLSv13 visible for nasl scripts (#914) 315ea401
• Update digest algo OID to string mapping 95e8eef6
• Instead of using g_memdup2 set deprecation for it as warning 824238ac

Bug Fixes

• result len of aes{128,256}gcm{encrypt,decrypt}_auth 0736d6ce
• segmentation fault in md4 calculation (#1135) aa3655e6
• segmentation fault and false positive on empty function body (#1102) 776a0cdf
• smb3kdf buffer a42c77be
• smb3kdf set the correct size 6773b166
• crypt_data set the correct size 24bb5b46
• nasl lint error count a04e2205
• enable notus only if mqtt is enabled (#1095) 329d58b9
• case sensitive linting (#1079) 2481d172
• script_mandatory_keys usage (#1067) 06ce7976
• sigsegv backtrace log (#1048) 72a1981a
• starting notus-scanner after stop-scan (#1031) 0e483c54
• Check 'reader' for NULL before trying to unreference it during cleanup (#997) 0e7d2f3e
• Handle string encoding converison fail (#996) 15f04b48
• Fixing isotime_add and add zero padding for isotime [#919] e7f4daf1
• security check that open is called basedd on previous lstat check 90521724

openvas-scanner 21.4.4

21.4.4 - 2022-02-22

Added

• flag to set cipher suite preferences on a TLS session (#1020) (#1028) f64afcb0
• Extend nasl_ssh_shell_read() (#964) (#989) e9f1eec4
• Add nasl function nasl_send_arp_request(). (#939) 7503c8c5
• Add function to get the local mac address (#922) (#925) 55843869
• Add nasl functions for checking ssl/tls secure renegotiation and performing re-handshake (backport #889) (#910) 1ab85285

Changed

• handle Fatal alert during handshake. (#1035) (#1038) 61b0e052
• extend cert_query() nasl function to get the public key algorithm (#995) (#998) 9eb023b1
• Only log SSL/TLS failure once per script 146aa65c
• Make OPENVAS_ENCAPS_TLSv13 visible for nasl scripts (backport #914) 369c9052
• Make OPENVAS_ENCAPS_TLSv13 visible for nasl scripts (#914) 8214bd8c
• Update digest algo OID to string mapping c36c7a9e

Bug Fixes

• Fix filling msghdr for sendmsg #977 434ec1a
• Fix warning detect by ccc-analyzer #975
• possible g_memdup() silent memory truncation. (backport #1024) (#1026) b9fda14c
• Handle string encoding converison fail (#996) (#1000) f7a9ec68
• stable.Dockerfile use gvm-libs as root (#949) 4be45935
• stable.Dockerfile use gvm-libs as root 3ed4a080
• Fixing isotime_add and add zero padding for isotime [#920] (backport) 9515c0d6

openvas-scanner 21.4.3

21.4.3 - 2021-10-11

Added

• Add nasl function sftp_enabled_check() to check if sftp subsystem is enabled in the target.
  • Backport #853
  • Backport #862
  • Add find_all to eregmatch() nasl function #875
• Fix Segmentation fault when freeing hosts and alive hosts #888

Changed

• Changed defaults for installation locations #826
  • SYSCONFDIR is /etc by default now
  • LOCALSTATEDIR is /var by default now
  • OPENVAS_RUN_DIR is /run/ospd by default now
  • OPENVAS_FEED_LOCK_PATH is /var/lib/openvas/feed-update.lock by default now

Fixed

• Fix interrupted scan, when the process table is full. #832
• Use fchmod to change file permission instead of on open to prevent race conditions 854
• Fix plugins upload #878
• Fix Error Message when NVTI chache init failed #885
• Fix potential segfault.#884

openvas-scanner 20.8.4

20.8.4 - 2021-10-11

Changed

• Changed defaults for installation locations #826
  • SYSCONFDIR is /etc by default now
  • LOCALSTATEDIR is /var by default now
  • OPENVAS_RUN_DIR is /run/ospd by default now
  • OPENVAS_FEED_LOCK_PATH is /var/lib/openvas/feed-update.lock by default now

Fixed

• Backport #832. Fix interrupted scan, when the process table is full. #835
• Fix Segmentation fault when freeing hosts and alive hosts #893
• Backport #884. Fix potential segfault.#892

openvas-scanner 21.4.2

21.4.2 - 2021-08-03

• Fix clang-analyzer warnings.
  #791
  #795

openvas-scanner 20.8.3

20.8.3 - 2021-08-03

Fixed

• Fix clang-analyzer warnings.
  #791
  #795

openvas-scanner 21.4.1

21.4.1 - 2021-06-23

Added

• Improve nasl linter to catch more cases of undeclared variables. #728
• Add deprecation warning for source_iface related settings which will be removed with the 21.10 release. #732
• New Credentials for SSH to get su privileges. Backport of #744. #753

Changed

• Update default log config #711

Fixed

• Use host from the original hosts list when boreas is enabled. #725
• Initialize the the kb to store results for openvas-nasl #735
• Fix unittest. Mock kb_lnk_reset. #748

Removed

openvas-scanner 20.8.2

20.8.2 - 2021-06-23

Added

• Check for wrong names or values in the script_xrefs params.
  #650
  #653
• Log a message if the scanner did not launch all plugins against a host.
  #700
  #734

Changed

• Replace bogus data with a better message and the vendor. #665
• Improve log message for WMI connect failed or missing WMI support. #670
• Don't use g_error. Use g_warning instead and let the scanner to continue. #710
• Update COPYING file. #750
• Set file permissions when syncing community feed #769

Fixed

• Fix issues discovered with clang compiler. #654
• Fix gcc-9 and gcc-10 warnings. #655
• Fix double free in nasl_cert_query. #658
• Fix message to the client if there is a iface problem. #695
• Fix SIGSEGV when no best route is found. #702
• Fix host count when reverse_lookup_only is enabled. #715
• Use host from the orignal hosts list when boreas is enabled. Backport of PR #727. #725
• The function description of nasl_ssh_shell_read() has been fixed. #755

Removed

• Remove code from the openvas daemon era. Do not flushall redis. #689
• Remove deprecated option logfile. #713

OpenVAS v21.4.0

Added

• Add scanner-only option to enable tls debugging. #558
• Extend nasl lint to detect if function parameter is used twice. #585
• Add option to specify if a host can be scanned through its IPv4 and IPv6 in parallel.
  #604
  #645
• Add insert_tcp_options and insert_tcp_v6_options nasl functions. #618
• Add get_tcp_option and extend dump_tcp_packet nasl functions. #621
• Add new scanner only option for spawning NASL functions with a different owner. #634
• Add debug logs for allow_simultaneous_ips=no. #685
• Add min_free_mem and max_sysload scanner only options. #690

Changed

• Store results in main_kb instead of host_kb. #550
• Also use internal function name in some nasl log messages. #611
• Move more scanner preferences to gvm-libs to make them available for openvas-nasl. #614

Removed

• Use the nvticache name from gvm-libs, defined in nvticache.h. #578

OpenVAS v20.8.1

Added

• Extend nasl lint to detect if function parameter is used twice. #590
• Add support for TLSv1.3. #588#598
• Add alternative for supporting snmp during scans. #594
• Add resolve_hostname_to_multiple_ips() NASL function. #596
• Send message to the client with hosts count. #606
• Use nasl_perror on invalid input and add more documentation. #608
• Add timeout argument to ssh_connect() nasl function to set the connection timeout. 631

Changed

• Downgrade wmi queries log level for common errors.
  #602
  #607
• Rename some nasl functions and func parameters for consistency and fix byte order issue in get_ipv6_element. #613
• Change log level from debug to message to show max_host and max_scan during scan start. #626

Fixed

• Fork vhosts before creating the socket.#576
• Check if another forked child has already added the same vhost. #581
• Send duplicated hosts as dead hosts to ospd, to adjust scan progress calculation. #586
• Only send the signal if the pid is a positive value. #593
• When routes with same mask are found the route with the better metric is chosen.
  #593
  #639
• Fix malformed target. #625
• Fix snmp result. Only return the value and do not stop at the first \n. #627
• Fix masking of IPv6 addresses. #635
• Fix technique switch for getting the appropriate interface to use for IPv6 dst addr. #636
• Fix host count. Set to -1 when the target string is invalid. #646