Hi,
I just released Nessus 2.0.12 and Nessus 2.1.1. My apologies for such
a quick 2.0.x release.
Nessus 2.0.12
-------------------------------------------------------------------------
Several bugs have been found in the utilities around Nessus 2.0.11 and
have been fixed in Nessus 2.0.12 :
- Fixed a bug in ./configure which would sometimes assume that GTK is
not installed whereas it actually is
- Fixed a race condition in nessus-adduser for users who do not
configure their TMPDIR variable (thanks to Cyrille Barthelemy)
- Fixed a bug in nessus-update-plugins which would not update the
plugins properly on all systems (thanks to Keith Butler)
- Fixed the installer to compile Nessus with GTK support if gtk-config
OR pkg-config is installed.
Please note that if you installed Nessus 2.0.11, it's very likely that
nessus-update-plugins is not working properly on your system.
Nessus 2.1.1 (experimental)
-------------------------------------------------------------------------
The developement of Nessus 2.1.x is going extremely well. This new release
contains the following changes :
- Incorporated the fixes above
- Added support for local Solaris checks
- Added support for cryptographically signed scripts
I will elaborate on that last item : several persons (legitimately)
expressed concern over the new local security checks in Nessus 2.1,
since they can execute arbitrary commands on the remote hosts : if
www.nessus.org were to be compromised, then you do not want an attacker
to modify ssh_get_info.nasl to execute 'shutdown -h now' instead of
'rpm -qa'.
So what has changed in Nessus 2.1.1, is that a handful of NASL functions
will refuse to run unless the script has been signed by a key recognized
by nessusd (mostly, the functions having to do with handling the
provided SSH key, and RSA/DSA signing of messages using that key, as
well as the ability to read the files uploaded by the user).
I have also enabled the functions pread() and find_in_path(), which
also only run if the script has been signed, which allow nasl scripts
to execute local commands. We intend to use them in the future to get
rid of most of the remaining .nes plugins.
The logic is the following :
- If a script is signed and the signature is verified, it will run
- If a script is signed and the signature is not verified, it will not run
- If a script is not signed, it will run but will have access to less
NASL commands. In particular, it will not be able to get access to the
SSH private key uploaded by the user
By default, the scripts are signed with my private key, and my public
key now ships with libnasl. If you do not trust me enough to run the
scripts I approve (but nevertheless trust me enough to use my code), you
can always re-sign the scripts yourself, by running nasl -S.
If you want to write you own scripts and do not want to bother with
scripts signing, set the option 'nasl_no_signature_check' to 'yes'
in nessusd.conf.
Availability
-------------------------------------------------------------------------
Nessus 2.0.12 : http://www.nessus.org/nessus_2_0.html
Nessus 2.1.1 : http://www.nessus.org/nessus_2_1.html
I just released Nessus 2.0.12 and Nessus 2.1.1. My apologies for such
a quick 2.0.x release.
Nessus 2.0.12
-------------------------------------------------------------------------
Several bugs have been found in the utilities around Nessus 2.0.11 and
have been fixed in Nessus 2.0.12 :
- Fixed a bug in ./configure which would sometimes assume that GTK is
not installed whereas it actually is
- Fixed a race condition in nessus-adduser for users who do not
configure their TMPDIR variable (thanks to Cyrille Barthelemy)
- Fixed a bug in nessus-update-plugins which would not update the
plugins properly on all systems (thanks to Keith Butler)
- Fixed the installer to compile Nessus with GTK support if gtk-config
OR pkg-config is installed.
Please note that if you installed Nessus 2.0.11, it's very likely that
nessus-update-plugins is not working properly on your system.
Nessus 2.1.1 (experimental)
-------------------------------------------------------------------------
The developement of Nessus 2.1.x is going extremely well. This new release
contains the following changes :
- Incorporated the fixes above
- Added support for local Solaris checks
- Added support for cryptographically signed scripts
I will elaborate on that last item : several persons (legitimately)
expressed concern over the new local security checks in Nessus 2.1,
since they can execute arbitrary commands on the remote hosts : if
www.nessus.org were to be compromised, then you do not want an attacker
to modify ssh_get_info.nasl to execute 'shutdown -h now' instead of
'rpm -qa'.
So what has changed in Nessus 2.1.1, is that a handful of NASL functions
will refuse to run unless the script has been signed by a key recognized
by nessusd (mostly, the functions having to do with handling the
provided SSH key, and RSA/DSA signing of messages using that key, as
well as the ability to read the files uploaded by the user).
I have also enabled the functions pread() and find_in_path(), which
also only run if the script has been signed, which allow nasl scripts
to execute local commands. We intend to use them in the future to get
rid of most of the remaining .nes plugins.
The logic is the following :
- If a script is signed and the signature is verified, it will run
- If a script is signed and the signature is not verified, it will not run
- If a script is not signed, it will run but will have access to less
NASL commands. In particular, it will not be able to get access to the
SSH private key uploaded by the user
By default, the scripts are signed with my private key, and my public
key now ships with libnasl. If you do not trust me enough to run the
scripts I approve (but nevertheless trust me enough to use my code), you
can always re-sign the scripts yourself, by running nasl -S.
If you want to write you own scripts and do not want to bother with
scripts signing, set the option 'nasl_no_signature_check' to 'yes'
in nessusd.conf.
Availability
-------------------------------------------------------------------------
Nessus 2.0.12 : http://www.nessus.org/nessus_2_0.html
Nessus 2.1.1 : http://www.nessus.org/nessus_2_1.html