nessusd: cannot connect to 2.2.5-3 server
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nessus-core (Debian) |
Fix Released
|
Unknown
|
|||
nessus-core (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
Automatically imported from Debian bug report #343487 http://
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server | #1 |
In Debian Bug tracker #343487, Marc Haber (mh+debian-bugs) wrote : | #2 |
On Thu, Dec 15, 2005 at 06:20:01PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> > A recompiled 2.2.5-3 on current sid exhibit the same behavior.
> >
> > I suspect some library issue.
>
> Yes, that looks like an SSL error due to incompatibilies with the libraries.
>
> > What i find strange: ldd of the working (2.2.5-2) daemon shows that
> > it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
>
> Strange, my working 2.2.5-2 daemon says:
> ~$ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.7 => /usr/lib/
>
> > non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
>
> No, it's the other way around:
>
> $ ldd debian/
> |grep ssl
> libssl.so.0.9.8 => /usr/lib/
> libssl.so.0.9.7 => /usr/lib/
NACK.
[2/68]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii nessusd 2.2.5-3 Remote network security auditor, the server
[3/69]mh@
[6/72]mh@
<snip>
[7/73]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii nessusd 2.2.5-2 Remote network security auditor, the server
[8/74]mh@
> And the client (2.2.5-2) says
> $ ldd /usr/bin/nessus |grep ssl
> libssl.so.0.9.7 => /usr/lib/
Confirmed.
> I guess recompiling the nessusd package should fix this issue.
Not on current sid, already tried that:
[13/79]
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii nessusd 2.2.5-2+zg1 Remote network security auditor, the server
[14/80]
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #3 |
On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > libssl.so.0.9.8 => /usr/lib/
> > libssl.so.0.9.7 => /usr/lib/
>
> NACK.
Err... Is this i386 or some other arch?
Those are *not* the binaries I built yesterday.
> > I guess recompiling the nessusd package should fix this issue.
>
> Not on current sid, already tried that:
You need to recompile both nessus-core and the client for that to work I
guess.
> >
> > Er, this is completely unrelated (and not true). See
> > /usr/share/
>
> Ah. I have been looking for that readme inside the nessus or
> nessusd packages.
As you can see , it's in the -plugins package.
> Btw, the nessus_
> what's downloadeable from the nessus web site. Additionally, following
> this procedure produces a non-working nessusd package on current sid.
Hmm...:
$ cat MD5.2.2.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MD5 (libnasl-
MD5 (nessus-
MD5 (nessus-
MD5 (nessus-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFC4R1C8JE
iGPZcIjuBrzaMJL
=wPZC
-----END PGP SIGNATURE-----
$ md5sum nessus-
282de0aa80a5c85
Either you did not check properly or the file in nessus.org has changed. The
Md5 file above was signed by Renaud Deraison (key Id 14595A1A).
Regards
Javier
In Debian Bug tracker #343487, Marc Haber (mh+debian-bugs) wrote : | #4 |
On Thu, Dec 15, 2005 at 07:00:05PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > > libssl.so.0.9.8 => /usr/lib/
> > > libssl.so.0.9.7 => /usr/lib/
> >
> > NACK.
>
>
> Err... Is this i386 or some other arch?
> Those are *not* the binaries I built yesterday.
This is i386, pulled from Debian incoming.
[2/83]mh@
5540b1f4dfd81c4
[3/84]mh@
> > > I guess recompiling the nessusd package should fix this issue.
> >
> > Not on current sid, already tried that:
>
> You need to recompile both nessus-core and the client for that to work I
> guess.
nessus-core builds the client as well:
[5/86]mh@
Source: nessus-core
[6/87]mh@
The issue is, however, with the daemon. 2.2.5-2 works with all clients
I tried, and 2.2.5-3 fails with all clients I tried.
> > > Er, this is completely unrelated (and not true). See
> > > /usr/share/
> ^^^^^^^^^^^^^^
> >
> > Ah. I have been looking for that readme inside the nessus or
> > nessusd packages.
>
> As you can see , it's in the -plugins package.
Yes. Not where I would look for it.
> > Btw, the nessus_
> > what's downloadeable from the nessus web site. Additionally, following
> > this procedure produces a non-working nessusd package on current sid.
>
> Hmm...:
>
> $ cat MD5.2.2.5
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MD5 (libnasl-
> MD5 (nessus-
> MD5 (nessus-
> MD5 (nessus-
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFC4R1C8JE
> iGPZcIjuBrzaMJL
> =wPZC
> -----END PGP SIGNATURE-----
> $ md5sum nessus-
> 282de0aa80a5c85
>
> Either you did not check properly or the file in nessus.org has changed. The
> Md5 file above was signed by Renaud Deraison (key Id 14595A1A).
I did not check properly. I inadvertently downloaded and checked
nessus-plugins instead of nessus-core.
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #5 |
On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> [2/83]mh@
> 5540b1f4dfd81c4
> [3/84]mh@
That is correct, however, with that one, as I said:
$ ldd /usr/sbin/nessusd |grep ssl
libssl.so.0.9.8 => /usr/lib/
And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
sure you are using the same Nessus daemon provided by the package, have you
restarted it?
Could you show me the output of 'dpkg -l "*libssl*"'
In my system it shows:
ii libssl-dev 0.9.8a-4 SSL development libraries, header files and
ii libssl0.9.6 0.9.6m-1 SSL shared libraries (old version)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-4 SSL shared libraries
Maybe it is *not* failing in my system because libssl0.9.7 is installed even
though there is not a declared dependency for it in the Nessusd package (it
says libssl0.9.8 (>= 0.9.8a-1), it *is* there for the nessus-plugins package
though so if you do the typical installation (nessusd, nessus and
nessus-plugins) it works.
In any case, if you *don't* have libssl0.9.7 the Nessusd (2.2.5-3) would
complain:
$ sudo /etc/init.d/nessusd start Starting Nessus daemon: /usr/sbin/nessusd:
error while loading shared libraries: libssl.so.0.9.7: cannot open shared
object file: No such file or directory
ERROR.
Can you please send me a full list of the nessus packages installed and the
output of ldd for those?
> The issue is, however, with the daemon. 2.2.5-2 works with all clients
> I tried, and 2.2.5-3 fails with all clients I tried.
Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
2.2.5-2. There are two problems here:
- binary linked against both libssl versions (see
http://
- Undeclared dependencies, but that is another (different) issue.
If you want me to get access to the chroot to diagnose, feel free to send me
access through private e-mail. In any case I'm going to recompile it so that
it *only* links against the latest openssl version (might require relinking
of all nessus packages though)
Regards
Javier
In Debian Bug tracker #343487, Marc Haber (mh+debian-bugs) wrote : | #6 |
On Thu, Dec 15, 2005 at 10:17:13PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> > [2/83]mh@
> > 5540b1f4dfd81c4
> > [3/84]mh@
>
> That is correct, however, with that one, as I said:
>
> $ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.8 => /usr/lib/
> libssl.so.0.9.7 => /usr/lib/
>
> And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
> sure you are using the same Nessus daemon provided by the package, have you
> restarted it?
I have stopped it, verified that there was no daemon listening on the
nessus port, and used the init script to start it again.
> Could you show me the output of 'dpkg -l "*libssl*"'
[1/87]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
un libssl <none> (no description available)
pn libssl0.9.6 <none> (no description available)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-5 SSL shared libraries
un libssl096 <none> (no description available)
un libssl096-dev <none> (no description available)
[2/88]mh@
> Can you please send me a full list of the nessus packages installed and the
> output of ldd for those?
which packages, which binaries?
> > The issue is, however, with the daemon. 2.2.5-2 works with all clients
> > I tried, and 2.2.5-3 fails with all clients I tried.
>
> Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
> 2.2.5-2. There are two problems here:
>
> - binary linked against both libssl versions (see
> http://
> - Undeclared dependencies, but that is another (different) issue.
>
> If you want me to get access to the chroot to diagnose, feel free to send me
> access through private e-mail. In any case I'm going to recompile it so that
> it *only* links against the latest openssl version (might require relinking
> of all nessus packages though)
I'm going to prepare a test system tomorrow. Can you send me your ssh
public key?
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
In Debian Bug tracker #343487, Hadmut Danisch (hadmut) wrote : openssl problem | #7 |
Hi,
I just ran into the same problem. As far as I can see the problem is
the libnasl2 package.
# strings - /usr/lib/
libssl.so.0.9.7
# ldd /usr/lib/
libnsl.so.1 => /lib/libnsl.so.1 (0x400c7000)
libdl.so.2 => /lib/libdl.so.2 (0x4021d000)
libc.so.6 => /lib/libc.so.6 (0x40221000)
It loads the libssl.so.0.9.7
You *need* to recompile the libnasl2 package synchronously with the
nessus packages!
After recompiling this single package, I still have the bad record mac
problem, but it solves at least the double library load.
regards
Hadmut
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server | #8 |
severity 343487 grave
tags 343487 pending confirmed sid etch
reassign 343487 nessus
thanks
After debugging this issue in a system that Marc Haber set up for testing
I've found two different issues, one is a misconfiguration, the other is a
problem with the nessus package (the client)
- localhost was not allowed access to nessusd due to tcp wrappers
configuration (common mistake). Error message:
[ client ]
[8305] SSL_connect: error:140943FC:SSL routines:
bad record mac
nessus : SSL error
[ server ]
[Wed Dec 28 10:46:08 2005][7608] Connection from 127.0.0.1 rejected by
libwrap
- (fixing the above) the nessus client was not able to connect to the server
error . Error message:
[ client ]
[8305] SSL_connect: error:140943FC:SSL routines:
bad record mac
nessus : SSL error
[ none at server ]
I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
The issue should be fixed by recompiling the client against a set of the
libraries, and should affect only the 2.2.5-3 version under i386. Notice,
also that the package has an undeclared dependency on libssl0.9.7 (the binary
is linked against that one).
I will try to rebuild it in a clean environment and see if I can get rid of
the libssl0.9.7 dependencies that way. Other nessus-related packages (libnasl
and nessus-plugins) might need to be recompiled too.
Regards
Javier
In Debian Bug tracker #343487, Steve Langasek (vorlon) wrote : | #9 |
On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fernández-Sanguino Peña wrote:
> After debugging this issue in a system that Marc Haber set up for testing
> I've found two different issues, one is a misconfiguration, the other is a
> problem with the nessus package (the client)
> - (fixing the above) the nessus client was not able to connect to the server
> error . Error message:
> [ client ]
> [8305] SSL_connect: error:140943FC:SSL routines:
> bad record mac
> nessus : SSL error
> [ none at server ]
> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the binary
> is linked against that one).
Why do you say that?
$ dpkg -x n/nessus-
$ ldd /tmp/nessus/
$
I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #10 |
On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > The issue should be fixed by recompiling the client against a set of the
> > libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> > also that the package has an undeclared dependency on libssl0.9.7 (the binary
> > is linked against that one).
>
> Why do you say that?
>
> $ dpkg -x n/nessus-
> $ ldd /tmp/nessus/
> libssl.so.0.9.8 => not found
> $
>
> I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
Sorry, my mistake:
* nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
0.9.8
* nessusd 2.2.5-2, the server, is only linked against 0.9.7
* nessus 2.2.5-3, the client, is only linked against 0.9.8.
* nessus 2.2.5-2, the client, is only linked against 0.9.7
The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
client does not work against any of the servers. It's the server that has an
undeclared dependency (because it's linked against 0.9.7 but depends on just
libssl0.9.8 (>= 0.9.8a-1)). A known fix is to have nessus, the server and
client, link against just 0.9.7 (since it's known to work). Moving to 0.9.8
might require a recompile of other nessus related packages (nasl and
nessus-plugins) in order for all of that to work out, it might be another
(better?) option.
Hopefully that clears it up.
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #11 |
Automatically imported from Debian bug report #343487 http://
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 17:17:36 +0100
From: Marc Haber <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: nessusd: cannot connect to 2.2.5-3 server
Package: nessusd
Version: 2.2.5-3
Severity: important
When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
client, the client says after hitting the "Login" button "SSL Error"
and says on stdout "[8157] SSL_connect: error:140943FC:SSL
routines:
server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
makes it happen again.
A recompiled 2.2.5-3 on current sid exhibit the same behavior.
I suspect some library issue.
What i find strange: ldd of the working (2.2.5-2) daemon shows that
it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
non-working (2.2.5-3) daemon is only linked against libssl.so.0.9.7.
I can reproduce the issue in a test chroot, so if you cannot see the
issue on your system, I can give you ssh access to a system that shows
the issue.
This is kind of important as there does not seem to be a possibility
to legally use nessus built from Debian with a registered plugin feed
at the moment.
Greetings
Marc
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.3-scyw00225
Locale: LANG=C, LC_CTYPE=C (charmap=
Versions of packages nessusd depends on:
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
ii libnasl2 2.2.5-2+zg1 Nessus Attack Scripting Language,
ii libnessus2 2.2.5-1+zg1 Nessus shared libraries
ii libssl0.9.8 0.9.8a-5 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii nessus-plugins 2.2.5-6 Nessus plugins
ii openssl 0.9.8a-5 Secure Socket Layer (SSL) binary a
nessusd recommends no packages.
-- debconf information:
* nessusd/
* nessusd/califetime: 1460
* nessusd/province:
* nessusd/
* nessusd/country:
* nessusd/
* nessusd/location:
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Debian Bug Importer (debzilla) wrote : | #13 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 18:20:01 +0100
From: Javier =?iso-8859-
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> Package: nessusd
> Version: 2.2.5-3
> Severity: important
>=20
> When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
> client, the client says after hitting the "Login" button "SSL Error"
> and says on stdout "[8157] SSL_connect: error:140943FC:SSL
> routines:
> server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
> makes it happen again.
>=20
> A recompiled 2.2.5-3 on current sid exhibit the same behavior.
>=20
> I suspect some library issue.
Yes, that looks like an SSL error due to incompatibilies with the libraries.
> What i find strange: ldd of the working (2.2.5-2) daemon shows that
> it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
Strange, my working 2.2.5-2 daemon says:
~$ ldd /usr/sbin/nessusd |grep ssl
> non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
No, it's the other way around:
$ ldd debian/
sbin/nessusd
|grep ssl
And the client (2.2.5-2) says
$ ldd /usr/bin/nessus |grep ssl
I guess recompiling the nessusd package should fix this issue. Will look in=
to
it.
> This is kind of important as there does not seem to be a possibility
> to legally use nessus built from Debian with a registered plugin feed
> at the moment.
Er, this is completely unrelated (and not true). See
/usr/share/
Regards
Javier
--IJpNTDwzlM2Ie8A6
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoaXBsan
Rg9EqJHROagAu7Q
=0Cyl
-----END PGP SIGNATURE-----
--IJpNTDwzlM2Ie
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 18:44:18 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
On Thu, Dec 15, 2005 at 06:20:01PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> > A recompiled 2.2.5-3 on current sid exhibit the same behavior.
> >
> > I suspect some library issue.
>
> Yes, that looks like an SSL error due to incompatibilies with the libraries.
>
> > What i find strange: ldd of the working (2.2.5-2) daemon shows that
> > it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
>
> Strange, my working 2.2.5-2 daemon says:
> ~$ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.7 => /usr/lib/
>
> > non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
>
> No, it's the other way around:
>
> $ ldd debian/
> |grep ssl
> libssl.so.0.9.8 => /usr/lib/
> libssl.so.0.9.7 => /usr/lib/
NACK.
[2/68]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii nessusd 2.2.5-3 Remote network security auditor, the server
[3/69]mh@
[6/72]mh@
<snip>
[7/73]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
ii nessusd 2.2.5-2 Remote network security auditor, the server
[8/74]mh@
> And the client (2.2.5-2) says
> $ ldd /usr/bin/nessus |grep ssl
> libssl.so.0.9.7 => /usr/lib/
Confirmed.
> I guess recompiling the nessusd package should fix this issue.
Not on current sid, already tried that:
[13/79]
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
Debian Bug Importer (debzilla) wrote : | #15 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 19:00:05 +0100
From: Javier =?iso-8859-
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > libssl.so.0.9.8 =3D> /usr/lib/
5000)
> > libssl.so.0.9.7 =3D> /usr/lib/
4000)
>=20
> NACK.
Err... Is this i386 or some other arch?
Those are *not* the binaries I built yesterday.
> > I guess recompiling the nessusd package should fix this issue.
>=20
> Not on current sid, already tried that:
You need to recompile both nessus-core and the client for that to work I
guess.
> >=20
> > Er, this is completely unrelated (and not true). See
> > /usr/share/
>=20
> Ah. I have been looking for that readme inside the nessus or
> nessusd packages.
As you can see , it's in the -plugins package.
> Btw, the nessus_
> what's downloadeable from the nessus web site. Additionally, following
> this procedure produces a non-working nessusd package on current sid.
Hmm...:
$ cat MD5.2.2.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
MD5 (libnasl-
MD5 (nessus-
MD5 (nessus-
MD5 (nessus-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFC4R1C8JE
iGPZcIjuBrzaMJL
=3DwPZC
-----END PGP SIGNATURE-----
$ md5sum nessus-
282de0aa80a5c85
Either you did not check properly or the file in nessus.org has changed. The
Md5 file above was signed by Renaud Deraison (key Id 14595A1A).
Regards
Javier
--ZGiS0Q5IWpPtfppv
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoa8lsan
BFGlC2a86fz/
=VSS1
-----END PGP SIGNATURE-----
--ZGiS0Q5IWpPtf
Debian Bug Importer (debzilla) wrote : | #16 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 19:18:04 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
On Thu, Dec 15, 2005 at 07:00:05PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > > libssl.so.0.9.8 => /usr/lib/
> > > libssl.so.0.9.7 => /usr/lib/
> >
> > NACK.
>
>
> Err... Is this i386 or some other arch?
> Those are *not* the binaries I built yesterday.
This is i386, pulled from Debian incoming.
[2/83]mh@
5540b1f4dfd81c4
[3/84]mh@
> > > I guess recompiling the nessusd package should fix this issue.
> >
> > Not on current sid, already tried that:
>
> You need to recompile both nessus-core and the client for that to work I
> guess.
nessus-core builds the client as well:
[5/86]mh@
Source: nessus-core
[6/87]mh@
The issue is, however, with the daemon. 2.2.5-2 works with all clients
I tried, and 2.2.5-3 fails with all clients I tried.
> > > Er, this is completely unrelated (and not true). See
> > > /usr/share/
> ^^^^^^^^^^^^^^
> >
> > Ah. I have been looking for that readme inside the nessus or
> > nessusd packages.
>
> As you can see , it's in the -plugins package.
Yes. Not where I would look for it.
> > Btw, the nessus_
> > what's downloadeable from the nessus web site. Additionally, following
> > this procedure produces a non-working nessusd package on current sid.
>
> Hmm...:
>
> $ cat MD5.2.2.5
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MD5 (libnasl-
> MD5 (nessus-
> MD5 (nessus-
> MD5 (nessus-
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFC4R1C8JE
> iGPZcIjuBrzaMJL
> =wPZC
> -----END PGP SIGNATURE-----
> $ md5sum nessus-
> 282de0aa80a5c85
>
> Either you did not check properly or the file in nessus.org has changed. The
> Md5 file above was signed by Renaud Deraison (key Id 14595A1A).
I did not check properly. I inadvertently downloaded and checked
nessus-plugins instead of nessus-core.
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Debian Bug Importer (debzilla) wrote : | #17 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 22:17:13 +0100
From: Javier =?iso-8859-
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> [2/83]mh@
> 5540b1f4dfd81c4
> [3/84]mh@
That is correct, however, with that one, as I said:
$ ldd /usr/sbin/nessusd |grep ssl =20
libssl.so.0.9.8 =3D> /usr/lib/
And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
sure you are using the same Nessus daemon provided by the package, have you
restarted it?
Could you show me the output of 'dpkg -l "*libssl*"'
In my system it shows:
ii libssl-dev 0.9.8a-4 SSL development libraries, header files a=
nd
ii libssl0.9.6 0.9.6m-1 SSL shared libraries (old version)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-4 SSL shared libraries
Maybe it is *not* failing in my system because libssl0.9.7 is installed even
though there is not a declared dependency for it in the Nessusd package (it
says libssl0.9.8 (>=3D 0.9.8a-1), it *is* there for the nessus-plugins pack=
age
though so if you do the typical installation (nessusd, nessus and
nessus-plugins) it works.
In any case, if you *don't* have libssl0.9.7 the Nessusd (2.2.5-3) would
complain:
$ sudo /etc/init.d/nessusd start Starting Nessus daemon: /usr/sbin/nessusd:
error while loading shared libraries: libssl.so.0.9.7: cannot open shared
object file: No such file or directory
ERROR.
Can you please send me a full list of the nessus packages installed and the
output of ldd for those?
> The issue is, however, with the daemon. 2.2.5-2 works with all clients
> I tried, and 2.2.5-3 fails with all clients I tried.
Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
2.2.5-2. There are two problems here:
- binary linked against both libssl versions (see=20
http://
- Undeclared dependencies, but that is another (different) issue.
If you want me to get access to the chroot to diagnose, feel free to send me
access through private e-mail. In any case I'm going to recompile it so that
it *only* links against the latest openssl version (might require relinking
of all nessus packages though)
Regards
Javier
--Q68bSM7Ycu6FN28Q
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDod1Zsan
xJcyTNwHTIe8loc
=uuAv
-----END PGP SIGNATURE-----
--Q68bSM7Ycu6FN
Debian Bug Importer (debzilla) wrote : | #18 |
Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 22:40:27 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
On Thu, Dec 15, 2005 at 10:17:13PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> > [2/83]mh@
> > 5540b1f4dfd81c4
> > [3/84]mh@
>
> That is correct, however, with that one, as I said:
>
> $ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.8 => /usr/lib/
> libssl.so.0.9.7 => /usr/lib/
>
> And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
> sure you are using the same Nessus daemon provided by the package, have you
> restarted it?
I have stopped it, verified that there was no daemon listening on the
nessus port, and used the init script to start it again.
> Could you show me the output of 'dpkg -l "*libssl*"'
[1/87]mh@
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Description
+++-===
un libssl <none> (no description available)
pn libssl0.9.6 <none> (no description available)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-5 SSL shared libraries
un libssl096 <none> (no description available)
un libssl096-dev <none> (no description available)
[2/88]mh@
> Can you please send me a full list of the nessus packages installed and the
> output of ldd for those?
which packages, which binaries?
> > The issue is, however, with the daemon. 2.2.5-2 works with all clients
> > I tried, and 2.2.5-3 fails with all clients I tried.
>
> Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
> 2.2.5-2. There are two problems here:
>
> - binary linked against both libssl versions (see
> http://
> - Undeclared dependencies, but that is another (different) issue.
>
> If you want me to get access to the chroot to diagnose, feel free to send me
> access through private e-mail. In any case I'm going to recompile it so that
> it *only* links against the latest openssl version (might require relinking
> of all nessus packages though)
I'm going to prepare a test system tomorrow. Can you send me your ssh
public key?
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Debian Bug Importer (debzilla) wrote : | #19 |
Message-ID: <email address hidden>
Date: Mon, 19 Dec 2005 10:05:12 +0100
From: Hadmut Danisch <email address hidden>
To: <email address hidden>
Subject: openssl problem
Hi,
I just ran into the same problem. As far as I can see the problem is
the libnasl2 package.
# strings - /usr/lib/
libssl.so.0.9.7
# ldd /usr/lib/
libnsl.so.1 => /lib/libnsl.so.1 (0x400c7000)
libdl.so.2 => /lib/libdl.so.2 (0x4021d000)
libc.so.6 => /lib/libc.so.6 (0x40221000)
It loads the libssl.so.0.9.7
You *need* to recompile the libnasl2 package synchronously with the
nessus packages!
After recompiling this single package, I still have the bad record mac
problem, but it solves at least the double library load.
regards
Hadmut
Debian Bug Importer (debzilla) wrote : | #20 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 10:57:42 +0100
From: Javier =?iso-8859-
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--dTy3Mrz/UPE2dbVg
Content-Type: text/plain; charset=us-ascii
Content-
Content-
severity 343487 grave
tags 343487 pending confirmed sid etch
reassign 343487 nessus
thanks
After debugging this issue in a system that Marc Haber set up for testing
I've found two different issues, one is a misconfiguration, the other is a
problem with the nessus package (the client)
- localhost was not allowed access to nessusd due to tcp wrappers
configuration (common mistake). Error message:
[ client ]
[8305] SSL_connect: error:140943FC:SSL routines:
rt
bad record mac
nessus : SSL error
[ server ]
[Wed Dec 28 10:46:08 2005][7608] Connection from 127.0.0.1 rejected by
libwrap
- (fixing the above) the nessus client was not able to connect to the server
error . Error message:
[ client ]=20
[8305] SSL_connect: error:140943FC:SSL routines:
rt
bad record mac
nessus : SSL error
[ none at server ]
I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
The issue should be fixed by recompiling the client against a set of the
libraries, and should affect only the 2.2.5-3 version under i386. Notice,
also that the package has an undeclared dependency on libssl0.9.7 (the bina=
ry
is linked against that one).
I will try to rebuild it in a clean environment and see if I can get rid of
the libssl0.9.7 dependencies that way. Other nessus-related packages (libna=
sl
and nessus-plugins) might need to be recompiled too.
Regards
Javier
--dTy3Mrz/UPE2dbVg
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsmGWsan
OXiqSG5HBkxMtjQ
=DJ0G
-----END PGP SIGNATURE-----
--dTy3Mrz/
Debian Bug Importer (debzilla) wrote : | #21 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 02:16:26 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--0z5c7mBtSy1wdr4F
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fern=E1ndez-
a wrote:
> After debugging this issue in a system that Marc Haber set up for testing
> I've found two different issues, one is a misconfiguration, the other is a
> problem with the nessus package (the client)
> - (fixing the above) the nessus client was not able to connect to the ser=
ver
> error . Error message:
> [ client ]=20
> [8305] SSL_connect: error:140943FC:SSL routines:
lert
> bad record mac
> nessus : SSL error
> [ none at server ]
> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the bi=
nary
> is linked against that one).
Why do you say that?
$ dpkg -x n/nessus-
$ ldd /tmp/nessus/
$
I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--0z5c7mBtSy1wdr4F
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDsmX6KN6
YnauyLGdcR/
=loIg
-----END PGP SIGNATURE-----
--0z5c7mBtSy1wd
In Debian Bug tracker #343487, Steve Langasek (vorlon) wrote : | #22 |
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fernández-Sanguino Peña wrote:
> On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > > The issue should be fixed by recompiling the client against a set of the
> > > libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> > > also that the package has an undeclared dependency on libssl0.9.7 (the binary
> > > is linked against that one).
> > Why do you say that?
> > $ dpkg -x n/nessus-
> > $ ldd /tmp/nessus/
> > libssl.so.0.9.8 => not found
> > $
> > I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
> Sorry, my mistake:
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8
Ok, I don't see this either:
$ ldd /tmp/nessus/
$
:)
Could you please explain why you believe nessusd is linked against both
versions of the library? To me, this bug looks like it's just an instance
of #338006.
> The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
> client does not work against any of the servers. It's the server that has an
> undeclared dependency (because it's linked against 0.9.7 but depends on just
> libssl0.9.8 (>= 0.9.8a-1)). A known fix is to have nessus, the server and
> client, link against just 0.9.7 (since it's known to work).
Well, that fix is not available to us, since there is no -dev package left
for openssl0.9.7.
> Moving to 0.9.8 might require a recompile of other nessus related packages
> (nasl and nessus-plugins) in order for all of that to work out, it might
> be another (better?) option.
Or the only option :)
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #23 |
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fernández-Sanguino Peña wrote:
>
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8
Just found out why this happened. The Nessus server gets compile against
both versions since libnasl depends on 0.9.7, I did not notice this:
in the build process
gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferences.o piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd `/usr/bin/
/usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/
/usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/
Since there is no libssl097-dev any longer I guess I'll have to recompile all
packages. Did I miss some mail to d-d-a about the OpenSSL transition?
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #24 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 11:31:11 +0100
From: Javier =?iso-8859-
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > The issue should be fixed by recompiling the client against a set of the
> > libraries, and should affect only the 2.2.5-3 version under i386. Notic=
e,
> > also that the package has an undeclared dependency on libssl0.9.7 (the =
binary
> > is linked against that one).
>=20
> Why do you say that?
>=20
> $ dpkg -x n/nessus-
> $ ldd /tmp/nessus/
> libssl.so.0.9.8 =3D> not found
> $
>=20
> I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
Sorry, my mistake:
* nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
0.9.8
* nessusd 2.2.5-2, the server, is only linked against 0.9.7
* nessus 2.2.5-3, the client, is only linked against 0.9.8.
* nessus 2.2.5-2, the client, is only linked against 0.9.7
The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
client does not work against any of the servers. It's the server that has an
undeclared dependency (because it's linked against 0.9.7 but depends on just
libssl0.9.8 (>=3D 0.9.8a-1)). A known fix is to have nessus, the server and
client, link against just 0.9.7 (since it's known to work). Moving to 0.9.8
might require a recompile of other nessus related packages (nasl and
nessus-plugins) in order for all of that to work out, it might be another
(better?) option.
Hopefully that clears it up.
Regards
Javier
--a8Wt8u1KmwUX3Y2C
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsmlvsan
EeSzkOvyhf0iIbq
=7mNf
-----END PGP SIGNATURE-----
--a8Wt8u1KmwUX3
In Debian Bug tracker #343487, Steve Langasek (vorlon) wrote : | #25 |
On Wed, Dec 28, 2005 at 11:59:14AM +0100, Javier Fernández-Sanguino Peña wrote:
> On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fernández-Sanguino Peña wrote:
> >
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
> Just found out why this happened. The Nessus server gets compile against
> both versions since libnasl depends on 0.9.7, I did not notice this:
Aha, so it does.
> in the build process
> gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
> processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferences.o piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd `/usr/bin/
> /usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/
> /usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/
> Since there is no libssl097-dev any longer I guess I'll have to recompile all
> packages.
It should actually be possible to fix this with binNMUs on the autobuilders,
I think. I'll go ahead and queue those now.
> Did I miss some mail to d-d-a about the OpenSSL transition?
No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
exists, and libssl-dev was moved to version 0.9.8, this was expected to be a
rather "soft" transition; and it has been, except for the aforementioned bug
in libssl0.9.8 giving the "bad mac" error.
Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
here, AFAICT.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #26 |
On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
>
> > Since there is no libssl097-dev any longer I guess I'll have to recompile all
> > packages.
>
> It should actually be possible to fix this with binNMUs on the autobuilders,
> I think. I'll go ahead and queue those now.
Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've just
recompiled all packages (libnasl, nessus-plugins and nessus-core) to try to
get it working and I still get this:
[19131] SSL_connect: error:1408F455:SSL routines:
failed or bad record mac
nessus : SSL error
When trying to connect the nessus client against the server (all using
0.9.8). This seems to have happened to people using nessus in Debian or Mac
OS X and building Nessus from sources with OpenSSL 0.9.8
See:
http://
http://
http://
http://
It seems it is only fixed when using openssl 0.9.7:
http://
> > Did I miss some mail to d-d-a about the OpenSSL transition?
>
> No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
> exists, and libssl-dev was moved to version 0.9.8, this was expected to be a
> rather "soft" transition; and it has been, except for the aforementioned bug
> in libssl0.9.8 giving the "bad mac" error.
Well, the above error might be an issue with 0.9.8 which might not make this
transition smooth for Nessus. I'm not sure if this is a Nessus or an OpenSSL
issue. The same error message seems to have appeared in OpenSSL's discussion
list in the past (but not recently)
> Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
> here, AFAICT.
Yes, but it seems that it's a no go, as it will not work (just tested).
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #27 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 02:54:17 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--bgQAstJ9X1Eg13Dy
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-
a wrote:
> On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > > The issue should be fixed by recompiling the client against a set of =
the
> > > libraries, and should affect only the 2.2.5-3 version under i386. Not=
ice,
> > > also that the package has an undeclared dependency on libssl0.9.7 (th=
e binary
> > > is linked against that one).
> > Why do you say that?
> > $ dpkg -x n/nessus-
> > $ ldd /tmp/nessus/
> > libssl.so.0.9.8 =3D> not found
> > $
> > I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.
> Sorry, my mistake:
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8
Ok, I don't see this either:
$ ldd /tmp/nessus/
$
:)
Could you please explain why you believe nessusd is linked against both
versions of the library? To me, this bug looks like it's just an instance
of #338006.
> The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
> client does not work against any of the servers. It's the server that has=
an
> undeclared dependency (because it's linked against 0.9.7 but depends on j=
ust
> libssl0.9.8 (>=3D 0.9.8a-1)). A known fix is to have nessus, the server a=
nd
> client, link against just 0.9.7 (since it's known to work).
Well, that fix is not available to us, since there is no -dev package left
for openssl0.9.7.
> Moving to 0.9.8 might require a recompile of other nessus related packages
> (nasl and nessus-plugins) in order for all of that to work out, it might
> be another (better?) option.
Or the only option :)
Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--bgQAstJ9X1Eg13Dy
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDsm7ZKN6
bpimQdlCexZTViW
=9+35
-----END PGP SIGNATURE-----
--bgQAstJ9X1Eg1
Debian Bug Importer (debzilla) wrote : | #28 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 11:59:14 +0100
From: Javier =?iso-8859-
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-
a wrote:
>=20
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8
Just found out why this happened. The Nessus server gets compile against
both versions since libnasl depends on 0.9.7, I did not notice this:
in the build process
gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferences=
=2Eo piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.=
o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.=
o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd =
`/usr/bin/
ap=20
/usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/
onflict with lib ssl.so.0.9.8=20
/usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/
y conflict with libcrypto.so.0.9.8
Since there is no libssl097-dev any longer I guess I'll have to recompile a=
ll
packages. Did I miss some mail to d-d-a about the OpenSSL transition?
Regards
Javier
--UugvWAfsgieZRqgk
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsnACsan
8xVV7op8aD6KpYe
=xA7l
-----END PGP SIGNATURE-----
--UugvWAfsgieZR
Debian Bug Importer (debzilla) wrote : | #29 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 03:12:44 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--q6mBvMCt6oafMx9a
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Wed, Dec 28, 2005 at 11:59:14AM +0100, Javier Fern=E1ndez-
a wrote:
> On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-
=F1a wrote:
> >=20
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
> Just found out why this happened. The Nessus server gets compile against
> both versions since libnasl depends on 0.9.7, I did not notice this:
Aha, so it does.
> in the build process
> gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
> processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferenc=
es.o piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.=
o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.=
o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd =
`/usr/bin/
ap=20
> /usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/
conflict with lib ssl.so.0.9.8=20
> /usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/
may conflict with libcrypto.so.0.9.8
> Since there is no libssl097-dev any longer I guess I'll have to recompile=
all
> packages.
It should actually be possible to fix this with binNMUs on the autobuilders,
I think. I'll go ahead and queue those now.
> Did I miss some mail to d-d-a about the OpenSSL transition?
No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
exists, and libssl-dev was moved to version 0.9.8, this was expected to be a
rather "soft" transition; and it has been, except for the aforementioned bug
in libssl0.9.8 giving the "bad mac" error.
Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
here, AFAICT.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--q6mBvMCt6oafMx9a
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDsnMsKN6
dNX3YUEUnMrjtM8
=KG7s
-----END PGP SIGNATURE-----
--q6mBvMCt6oafM
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : | #30 |
On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
>
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
>
> Ok, I don't see this either:
>
> $ ldd /tmp/nessus/
> libssl.so.0.9.8 => not found
> $
Funny, it seems that ldd output varies _if_ you have this:
$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-2 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-2 Remote network security auditor, the client
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the server
$ ldd /usr/sbin/nessusd |grep ssl
libssl.so.0.9.8 => /usr/lib/
libssl.so.0.9.7 => /usr/lib/
However, if you have this:
$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-3 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-3 Remote network security auditor, the client
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the server
(libnasl 2.2.5-3 is the version I was preparing which compiles against
libssl.so.0.9.8, it's not in the archive)
Then you get this:
$ ldd /usr/sbin/nessusd |grep ssl
libssl.
So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
not "see" nessusd linking against both. For archs that have compiled libnasl
aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
least, since the packages for i386 were compiled in August by me. Which was
previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).
> Could you please explain why you believe nessusd is linked against both
> versions of the library?
As said above and easily reproducible. Just install a libnasl2 which has been
compiled aginast 0.9.7.
> To me, this bug looks like it's just an instance
> of #338006.
Indeed, it looks like this might be the end issue. Is it a good idea to force
everyone to use a buggy library? Wouldn't it make sense to provide a
libssl097-dev to prevent breakage for those packages that get bitten by this
bug?
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #31 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 12:30:53 +0100
From: Javier =?iso-8859-
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
>=20
> > Since there is no libssl097-dev any longer I guess I'll have to recompi=
le all
> > packages.
>=20
> It should actually be possible to fix this with binNMUs on the autobuilde=
rs,
> I think. I'll go ahead and queue those now.
Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've just
recompiled all packages (libnasl, nessus-plugins and nessus-core) to try to
get it working and I still get this:
[19131] SSL_connect: error:1408F455:SSL routines:
failed or bad record mac
nessus : SSL error
When trying to connect the nessus client against the server (all using
0.9.8). This seems to have happened to people using nessus in Debian or Mac
OS X and building Nessus from sources with OpenSSL 0.9.8
See:
http://
http://
http://
http://
It seems it is only fixed when using openssl 0.9.7:
http://
> > Did I miss some mail to d-d-a about the OpenSSL transition?
>=20
> No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
> exists, and libssl-dev was moved to version 0.9.8, this was expected to b=
e a
> rather "soft" transition; and it has been, except for the aforementioned =
bug
> in libssl0.9.8 giving the "bad mac" error.
Well, the above error might be an issue with 0.9.8 which might not make this
transition smooth for Nessus. I'm not sure if this is a Nessus or an OpenS=
SL
issue. The same error message seems to have appeared in OpenSSL's discussion
list in the past (but not recently)
> Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
> here, AFAICT.
Yes, but it seems that it's a no go, as it will not work (just tested).
Regards
Javier
--W/nzBZO5zC0uMSeA
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsndtsan
Y1aJoXY2TNFn0iE
=1FVg
-----END PGP SIGNATURE-----
--W/nzBZO5zC0uM
Debian Bug Importer (debzilla) wrote : | #32 |
Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 12:47:48 +0100
From: Javier =?iso-8859-
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--kfjH4zxOES6UT95V
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
>=20
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
>=20
> Ok, I don't see this either:
>=20
> $ ldd /tmp/nessus/
> libssl.so.0.9.8 =3D> not found
> $
Funny, it seems that ldd output varies _if_ you have this:
$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-2 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-2 Remote network security auditor, the clie=
nt
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the serv=
er
$ ldd /usr/sbin/nessusd |grep ssl
libssl.so.0.9.8 =3D> /usr/lib/
libssl.so.0.9.7 =3D> /usr/lib/
However, if you have this:
$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-3 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-3 Remote network security auditor, the clie=
nt
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the serv=
er
(libnasl 2.2.5-3 is the version I was preparing which compiles against
libssl.so.0.9.8, it's not in the archive)
Then you get this:
$ ldd /usr/sbin/nessusd |grep ssl
libssl.
So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
not "see" nessusd linking against both. For archs that have compiled libnasl
aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
least, since the packages for i386 were compiled in August by me. Which was
previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).
> Could you please explain why you believe nessusd is linked against both
> versions of the library?=20
As said above and easily reproducible. Just install a libnasl2 which has be=
en
compiled aginast 0.9.7.
> To me, this bug looks like it's just an instance
> of #338006.
Indeed, it looks like this might be the end issue. Is it a good idea to for=
ce
everyone to use a buggy library? Wouldn't it make sense to provide a
libssl097-dev to prevent breakage for those packages that get bitten by this
bug?
Regards
Javier
--kfjH4zxOES6UT95V
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDsntksan
qDY7GP17T4KGuO5
=TtVa
-----END PGP SIGNATURE-----
--kfjH4zxOES6UT
In Debian Bug tracker #343487, Marc Haber (mh+debian-bugs) wrote : Re: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server | #33 |
On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fernández-Sanguino Peña wrote:
> severity 343487 grave
> tags 343487 pending confirmed sid etch
> reassign 343487 nessus
> thanks
>
> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
>
> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the binary
> is linked against that one).
>
> I will try to rebuild it in a clean environment and see if I can get rid of
> the libssl0.9.7 dependencies that way. Other nessus-related packages (libnasl
> and nessus-plugins) might need to be recompiled too.
After seeing Javier's message on the nessus mailing list
(http://
which points to #338006, which is a bug in openssl 0.9.8), I tried
rebuilding nessus and nessusd in a clean sid chroot with only openssl
0.9.7 installed, as Javier suggested doing.
Because of Hadmut's message in this bug, I rebuild libnasl as well.
The resulting packages naturally only depend on libssl0.9.7, and seem
to work fine. This might be a workaround.
The re-built packages for sid are available on
http://
http://
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Debian Bug Importer (debzilla) wrote : | #34 |
Message-ID: <email address hidden>
Date: Thu, 29 Dec 2005 11:17:41 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Cc: Marc Haber <email address hidden>
Subject: Re: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fern�ez-Sanguino Pe�rote:
> severity 343487 grave
> tags 343487 pending confirmed sid etch
> reassign 343487 nessus
> thanks
>
> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
>
> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the binary
> is linked against that one).
>
> I will try to rebuild it in a clean environment and see if I can get rid of
> the libssl0.9.7 dependencies that way. Other nessus-related packages (libnasl
> and nessus-plugins) might need to be recompiled too.
After seeing Javier's message on the nessus mailing list
(http://
which points to #338006, which is a bug in openssl 0.9.8), I tried
rebuilding nessus and nessusd in a clean sid chroot with only openssl
0.9.7 installed, as Javier suggested doing.
Because of Hadmut's message in this bug, I rebuild libnasl as well.
The resulting packages naturally only depend on libssl0.9.7, and seem
to work fine. This might be a workaround.
The re-built packages for sid are available on
http://
http://
Greetings
Marc
--
-------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : Re: Bug#343487: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server | #35 |
On Thu, Dec 29, 2005 at 11:17:41AM +0100, Marc Haber wrote:
> The resulting packages naturally only depend on libssl0.9.7, and seem
> to work fine. This might be a workaround.
Great, yes, this is a workaround. Unfortunately it's a *local* workaround.
Even if I can generate i386 packages compiled for libssl0.9.7 if I send them
to the queue they will get built by the autobuilders with libssl-dev which
means !i386 will depend on libssl0.9.8.
Steve, what do you think is the best way to proceed here? Should we wait for
the bug to be fixed in OpenSSL or try to convince openssl developers to
provide a libssl097-dev so that I could change Nessus build dependencies
to it and make it use 0.9.7 until the OpenSSL bug is fixed? Or should I
upload i386 packages built against 0.9.7 so (at least) i386 users can have a
working Nessus client?
Regards
Javier
Debian Bug Importer (debzilla) wrote : | #36 |
Message-ID: <email address hidden>
Date: Thu, 29 Dec 2005 12:46:44 +0100
From: Javier =?iso-8859-
To: Marc Haber <email address hidden>, <email address hidden>,
Steve Langasek <email address hidden>
Subject: Re: Bug#343487: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-
On Thu, Dec 29, 2005 at 11:17:41AM +0100, Marc Haber wrote:
> The resulting packages naturally only depend on libssl0.9.7, and seem
> to work fine. This might be a workaround.
Great, yes, this is a workaround. Unfortunately it's a *local* workaround.
Even if I can generate i386 packages compiled for libssl0.9.7 if I send them
to the queue they will get built by the autobuilders with libssl-dev which
means !i386 will depend on libssl0.9.8.
Steve, what do you think is the best way to proceed here? Should we wait for
the bug to be fixed in OpenSSL or try to convince openssl developers to
provide a libssl097-dev so that I could change Nessus build dependencies
to it and make it use 0.9.7 until the OpenSSL bug is fixed? Or should I
upload i386 packages built against 0.9.7 so (at least) i386 users can have a
working Nessus client?
Regards
Javier
--ReaqsoxgOBHFXBhH
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDs8yksan
RjDWBtKm9khAEQI
=X/SQ
-----END PGP SIGNATURE-----
--ReaqsoxgOBHFX
In Debian Bug tracker #343487, Steve Langasek (vorlon) wrote : Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server | #37 |
On Wed, Dec 28, 2005 at 12:30:53PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
> > > Since there is no libssl097-dev any longer I guess I'll have to recompile all
> > > packages.
> > It should actually be possible to fix this with binNMUs on the autobuilders,
> > I think. I'll go ahead and queue those now.
> Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've just
> recompiled all packages (libnasl, nessus-plugins and nessus-core) to try to
> get it working and I still get this:
Already done, though; as I said, it doesn't make things any *worse*, and
this is an RC bug in libssl0.9.8 that needs to be fixed. Having libnasl
stay linked against libssl0.9.7, and then accidentally get broken in a
security reupload, wouldn't be good either, so we might as well have
binaries in the archive that correspond to the current sources.
On Wed, Dec 28, 2005 at 12:47:48PM +0100, Javier Fernández-Sanguino Peña wrote:
> On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
> > > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > > 0.9.8
> > Ok, I don't see this either:
> > $ ldd /tmp/nessus/
> > libssl.so.0.9.8 => not found
> > $
> Funny, it seems that ldd output varies _if_ you have this:
Right... the problem with ldd is that it recurses library dependencies, so
it doesn't really tell you where the problem lies. :)
> So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
> not "see" nessusd linking against both. For archs that have compiled libnasl
> aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
> least, since the packages for i386 were compiled in August by me. Which was
> previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).
It was actually the case on all architectures, fwiw.
> > To me, this bug looks like it's just an instance
> > of #338006.
> Indeed, it looks like this might be the end issue. Is it a good idea to force
> everyone to use a buggy library? Wouldn't it make sense to provide a
> libssl097-dev to prevent breakage for those packages that get bitten by this
> bug?
As mentioned, the bug in libssl0.9.8 *is* RC; and I don't think we're going
to be reverting all of these packages to remove libssl0.9.8 from etch; so I
believe it's better to focus on fixing openssl instead of trying to work
around it.
In the meantime, I guess I would have to recommend that users who need
nessus use the version from stable.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
Debian Bug Importer (debzilla) wrote : | #38 |
Message-ID: <email address hidden>
Date: Fri, 30 Dec 2005 21:17:05 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, Marc Haber <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server
--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=iso-8859-1
Content-
Content-
On Wed, Dec 28, 2005 at 12:30:53PM +0100, Javier Fern=E1ndez-
a wrote:
> On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
> > > Since there is no libssl097-dev any longer I guess I'll have to recom=
pile all
> > > packages.
> > It should actually be possible to fix this with binNMUs on the autobuil=
ders,
> > I think. I'll go ahead and queue those now.
> Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've ju=
st
> recompiled all packages (libnasl, nessus-plugins and nessus-core) to try =
to
> get it working and I still get this:
Already done, though; as I said, it doesn't make things any *worse*, and
this is an RC bug in libssl0.9.8 that needs to be fixed. Having libnasl
stay linked against libssl0.9.7, and then accidentally get broken in a
security reupload, wouldn't be good either, so we might as well have
binaries in the archive that correspond to the current sources.
On Wed, Dec 28, 2005 at 12:47:48PM +0100, Javier Fern=E1ndez-
a wrote:
> On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
> > > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > > 0.9.8
> > Ok, I don't see this either:
> > $ ldd /tmp/nessus/
> > libssl.so.0.9.8 =3D> not found
> > $
> Funny, it seems that ldd output varies _if_ you have this:
Right... the problem with ldd is that it recurses library dependencies, so
it doesn't really tell you where the problem lies. :)
> So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
> not "see" nessusd linking against both. For archs that have compiled libn=
asl
> aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
> least, since the packages for i386 were compiled in August by me. Which w=
as
> previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).
It was actually the case on all architectures, fwiw.
> > To me, this bug looks like it's just an instance
> > of #338006.
> Indeed, it looks like this might be the end issue. Is it a good idea to f=
orce
> everyone to use a buggy library? Wouldn't it make sense to provide a
> libssl097-dev to prevent breakage for those packages that get bitten by t=
his
> bug?
As mentioned, the bug in libssl0.9.8 *is* RC; and I don't think we're going
to be reverting all of these packages to remove libssl0.9.8 from etch; so I
believe it's better to focus on fixing openssl instead of trying to work
around it.
In the meantime, I guess I would have to recommend that users who need
nessus use the version from stable.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> ...
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : 343487 is not pending | #39 |
tags 343487 - pending
thanks
This bug has to wait until #338006 is fixed.
Javier
Debian Bug Importer (debzilla) wrote : | #40 |
Message-ID: <email address hidden>
Date: Sat, 31 Dec 2005 11:22:05 +0100
From: Javier =?iso-8859-
To: <email address hidden>
Subject: 343487 is not pending
--U+BazGySraz5kW0T
Content-Type: text/plain; charset=us-ascii
Content-
tags 343487 - pending
thanks
This bug has to wait until #338006 is fixed.
Javier
--U+BazGySraz5kW0T
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDtlvNsan
yqyEWhVEZz7b5EP
=JAQx
-----END PGP SIGNATURE-----
--U+BazGySraz5k
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : Workaround for OpenSSL 0.9.8 bug in Nessus | #41 |
Based on the comment made by Jim Paris to bug #338006 I've found that adding
the following line to nessusd.conf makes the client able to talk with the
server:
ssl_cipher_list = SSLv2:-
I'm going to add this to the default nessusd.conf to implemente a workaround
fix for #343487 until such a time that #338006 is fixed.
Thanks Jim!
Javier
In Debian Bug tracker #343487, Javier Fernández-Sanguino (jfs) wrote : Bug#343487: fixed in nessus-core 2.2.5-4 | #42 |
Source: nessus-core
Source-Version: 2.2.5-4
We believe that the bug you reported is fixed in the latest version of
nessus-core, which is due to be installed in the Debian FTP archive:
nessus-
to pool/main/
nessus-
to pool/main/
nessus-
to pool/main/
nessus_
to pool/main/
nessusd_
to pool/main/
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Javier Fernandez-Sanguino Pen~a <email address hidden> (supplier of updated nessus-core package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 31 Dec 2005 11:23:04 +0100
Source: nessus-core
Binary: nessus nessusd nessus-dev
Architecture: source all i386
Version: 2.2.5-4
Distribution: unstable
Urgency: low
Maintainer: Javier Fernandez-Sanguino Pen~a <email address hidden>
Changed-By: Javier Fernandez-Sanguino Pen~a <email address hidden>
Description:
nessus - Remote network security auditor, the client
nessus-dev - Nessus development header files
nessusd - Remote network security auditor, the server
Closes: 343487 346878
Changes:
nessus-core (2.2.5-4) unstable; urgency=low
.
* Remove all SSLv3 ciphers except for RC4 in the default nessusd.conf to work around bug #338006 and #343487
(Closes: #343487)
* Remove xlibs-dev build-dependencies (Closes: #346878)
Files:
5f59622308d549
735c63b3b28561
71f934074da341
9c57cdeb2f2d24
8f1f9b345aebc5
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQCVAwUBQ8uHnPt
Fx4hrlLg9fSZHnT
LJWqIzUF5r+
RTODpTQUQXk=
=V4St
-----END PGP SIGNATURE-----
Carthik Sharma (carthik) wrote : | #43 |
Latest in Dapper is free of this bug. Closing.
Changed in nessus-core: | |
status: | Unconfirmed → Fix Released |
On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote: SSL3_READ_ BYTES:sslv3 alert bad record mac". Downgrading the
> Package: nessusd
> Version: 2.2.5-3
> Severity: important
>
> When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
> client, the client says after hitting the "Login" button "SSL Error"
> and says on stdout "[8157] SSL_connect: error:140943FC:SSL
> routines:
> server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
> makes it happen again.
>
> A recompiled 2.2.5-3 on current sid exhibit the same behavior.
>
> I suspect some library issue.
Yes, that looks like an SSL error due to incompatibilies with the libraries.
> What i find strange: ldd of the working (2.2.5-2) daemon shows that
> it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
Strange, my working 2.2.5-2 daemon says:
libssl. so.0.9. 7 => /usr/lib/ i686/cmov/ libssl. so.0.9. 7 (0x40115000)
~$ ldd /usr/sbin/nessusd |grep ssl
> non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
No, it's the other way around:
$ ldd debian/ security/ nessus/ packages/ nessus- core-2. 2.5/debian/ nessusd/ usr/sbin/ nessusd
libssl. so.0.9. 8 => /usr/lib/ i686/cmov/ libssl. so.0.9. 8 (0x40115000)
libssl. so.0.9. 7 => /usr/lib/ i686/cmov/ libssl. so.0.9. 7 (0x403b4000)
|grep ssl
And the client (2.2.5-2) says
libssl. so.0.9. 7 => /usr/lib/ i686/cmov/ libssl. so.0.9. 7 (0x400e1000)
$ ldd /usr/bin/nessus |grep ssl
I guess recompiling the nessusd package should fix this issue. Will look into
it.
> This is kind of important as there does not seem to be a possibility
> to legally use nessus built from Debian with a registered plugin feed
> at the moment.
Er, this is completely unrelated (and not true). See doc/nessus- plugins/ README. rebuild. Debian
/usr/share/
Regards
Javier