Gentoo Archives: gentoo-announce

From: Daniel Ahlberg <aliz@g.o>
To: gentoo-announce@g.o
Subject: GLSA: nessus (200305-10)
Date: Tue, 27 May 2003 11:15:16
Message-Id: 20030527091507.8E7C133742@mail1.tamperd.net
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - ---------------------------------------------------------------------
5 GENTOO LINUX SECURITY ANNOUNCEMENT 200305-10
6 - - - ---------------------------------------------------------------------
7
8 PACKAGE : nessus
9 SUMMARY : problems in scripting engine
10 DATE : 2003-05-27 09:15 UTC
11 EXPLOIT : remote
12 VERSIONS AFFECTED : <nessus-2.0.6a
13 FIXED VERSION : >=nessus-2.0.6a
14 CVE :
15
16 - - - ---------------------------------------------------------------------
17
18 - - From advisory:
19
20 "There exists some vulnerabilities in NASL scripting engine.
21 To exploit these flaws, an attacker would need to have a valid Nessus
22 account as well as the ability to upload arbitrary Nessus plugins in the
23 Nessus server (this option is disabled by default) or he/she would need to
24 trick a user somehow into running a specially crafted nasl script."
25
26 Read the full advisory at
27 http://marc.theaimsgroup.com/?l=bugtraq&m=105369506714849&w=2
28
29 SOLUTION
30
31 It is recommended that all Gentoo Linux users who are running
32 net-analyzer/nessus upgrade to nessus-2.0.6a as follows
33
34 emerge sync
35 emerge nessus
36 emerge clean
37
38 - - - ---------------------------------------------------------------------
39 aliz@g.o - GnuPG key is available at http://cvs.gentoo.org/~aliz
40 - - - ---------------------------------------------------------------------
41 -----BEGIN PGP SIGNATURE-----
42 Version: GnuPG v1.2.2 (GNU/Linux)
43
44 iD8DBQE+0yyafT7nyhUpoZMRAhc5AJoDcuH24b4v2yK53aI5Ql8OvF0bjQCeKBgl
45 G7TUn5qJzfMnwrjMDqn5DH8=
46 =nrb6
47 -----END PGP SIGNATURE-----