Home
My Page
Projects
OpenVAS

File Release Notes and Changelog

Release Name: 1.3.2

Release Notes
This is the second maintenance release of the OpenVAS Administrator 1.3, the
local and remote administrative tool for the Open Vulnerability Assessment
System release 6 (OpenVAS-6).

This is a security release addressing a very serious security bug and it is highly
recommended to update any installation of OpenVAS Administrator 1.3 with this
release.

A software bug in OpenVAS Administrator allowed an attacker to bypass the OAP
authentication procedure. The attack vector was remotely available in case
OpenVAS Administrator was listening on a public network interface. In case of
successful attack, the attacker was able to create and modify users and could
use the gained privileges to take control over an OpenVAS installation if the
Scanner and/or Manager instances controlled by this Administrator instance were
also listening on public network interfaces.

Many thanks to everyone who has contributed to this release:
Matthew Mundell.
Change Log
Main changes since 1.3.1:
* Security fix for handling the authentication state in OAP.

This site is hosted by Intevation GmbH