I just released Nessus 2.0.1, and I suggest all Nessus 2.0.0 users to upgrade
to it. While the bugs found are non-critical, in some circumstance you may end
up with an inaccurate report. Note that this is not 2.0.x specific and also
affects 1.2.x.
I'm sorry for doing two releases the same week (and on a friday :), but the
bugs I noticed are important enough to suggest an upgrade.
List of changes :
-----------------
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Minor bugfixes (bugs #180, #183, #185, #188, #189, #195, #197, #202, #203, #204) [1]
- Fixed the "pink" graphical report issue
- Added http keep-alive support in the CGI related plugins [2]
- Fixed a bug in the function get_kb_list() which would not always work
properly [3]
- Fixed an issue where in some situations, some HTTP services would not
be tested for flaws if they have not been port-scanned first[4]
- Added new signatures in find_services.nes
. changes by Stephen Friedl (steve@unixwiz.net)
- Fixed bugs and warnings in nessus-libraries
Availability :
--------------
Nessus 2.0.1 is available at http://www.nessus.org/nessus_2_0.html
Details :
----------
[1] These bugs are really non-critical. See our bugzilla database for details
if you want (http://bugs.nessus.org)
[2] Each plugin supports keep-alive connections, however connections are not
kept-alive among plugins (meaning that each web-related plugin performs
at least one connection to the remote server). If you routinely check
SSL-enabled servers, you should notice the speed gain.
[3] This is why I suggest you upgrade your whole Nessus installation. This
bug will prevent the plugins which fix the issue found in [4] from working
properly.
[4] Some checks have to do with a service which has a built-in HTTP protocol
but listens on a non-standard port (ie: 8100). It turns out that if the
user is running another web server (ie: on port 80) and does not port scan
the whole list of ports (ie: only 1 to 1024), then some services won't be
tested as Services/www will be mapped to port 80. This problem affects
~ 50 plugins. Doing a nessus-update-plugins will fix the problem
the other way because of the bug described above.
The workaround of 1.0.x and 1.2.x users is to extend the scan range
of the portscan to 1-20000. I really recommand upgrading to Nessus 2.0
though.
to it. While the bugs found are non-critical, in some circumstance you may end
up with an inaccurate report. Note that this is not 2.0.x specific and also
affects 1.2.x.
I'm sorry for doing two releases the same week (and on a friday :), but the
bugs I noticed are important enough to suggest an upgrade.
List of changes :
-----------------
. changes by Renaud Deraison (deraison@cvs.nessus.org)
- Minor bugfixes (bugs #180, #183, #185, #188, #189, #195, #197, #202, #203, #204) [1]
- Fixed the "pink" graphical report issue
- Added http keep-alive support in the CGI related plugins [2]
- Fixed a bug in the function get_kb_list() which would not always work
properly [3]
- Fixed an issue where in some situations, some HTTP services would not
be tested for flaws if they have not been port-scanned first[4]
- Added new signatures in find_services.nes
. changes by Stephen Friedl (steve@unixwiz.net)
- Fixed bugs and warnings in nessus-libraries
Availability :
--------------
Nessus 2.0.1 is available at http://www.nessus.org/nessus_2_0.html
Details :
----------
[1] These bugs are really non-critical. See our bugzilla database for details
if you want (http://bugs.nessus.org)
[2] Each plugin supports keep-alive connections, however connections are not
kept-alive among plugins (meaning that each web-related plugin performs
at least one connection to the remote server). If you routinely check
SSL-enabled servers, you should notice the speed gain.
[3] This is why I suggest you upgrade your whole Nessus installation. This
bug will prevent the plugins which fix the issue found in [4] from working
properly.
[4] Some checks have to do with a service which has a built-in HTTP protocol
but listens on a non-standard port (ie: 8100). It turns out that if the
user is running another web server (ie: on port 80) and does not port scan
the whole list of ports (ie: only 1 to 1024), then some services won't be
tested as Services/www will be mapped to port 80. This problem affects
~ 50 plugins. Doing a nessus-update-plugins will fix the problem
the other way because of the bug described above.
The workaround of 1.0.x and 1.2.x users is to extend the scan range
of the portscan to 1-20000. I really recommand upgrading to Nessus 2.0
though.