nessusd: cannot connect to 2.2.5-3 server

Automatically imported from Debian bug report #343487 http://bugs.debian.org/343487

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 17:17:36 +0100
From: Marc Haber <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: nessusd: cannot connect to 2.2.5-3 server

Package: nessusd
Version: 2.2.5-3
Severity: important

When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
client, the client says after hitting the "Login" button "SSL Error"
and says on stdout "[8157] SSL_connect: error:140943FC:SSL
routines:SSL3_READ_BYTES:sslv3 alert bad record mac". Downgrading the
server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
makes it happen again.

A recompiled 2.2.5-3 on current sid exhibit the same behavior.

I suspect some library issue.

What i find strange: ldd of the working (2.2.5-2) daemon shows that
it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
non-working (2.2.5-3) daemon is only linked against libssl.so.0.9.7.

I can reproduce the issue in a test chroot, so if you cannot see the
issue on your system, I can give you ssh access to a system that shows
the issue.

This is kind of important as there does not seem to be a possibility
to legally use nessus built from Debian with a registered plugin feed
at the moment.

Greetings
Marc

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14.3-scyw00225
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages nessusd depends on:
ii libc6 2.3.5-8.1 GNU C Library: Shared libraries an
ii libnasl2 2.2.5-2+zg1 Nessus Attack Scripting Language,
ii libnessus2 2.2.5-1+zg1 Nessus shared libraries
ii libssl0.9.8 0.9.8a-5 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii nessus-plugins 2.2.5-6 Nessus plugins
ii openssl 0.9.8a-5 Secure Socket Layer (SSL) binary a

nessusd recommends no packages.

-- debconf information:
* nessusd/organization: Nessus Users United
* nessusd/califetime: 1460
* nessusd/province:
* nessusd/srvlifetime: 365
* nessusd/country:
* nessusd/certificate:
* nessusd/location:

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 18:20:01 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> Package: nessusd
> Version: 2.2.5-3
> Severity: important
>=20
> When I try to connect to a 2.2.5-3 server from a 2.2.5-2 or 2.2.5-3
> client, the client says after hitting the "Login" button "SSL Error"
> and says on stdout "[8157] SSL_connect: error:140943FC:SSL
> routines:SSL3_READ_BYTES:sslv3 alert bad record mac". Downgrading the
> server to 2.2.5-2 makes the problem go away, upgrading to 2.2.5-3
> makes it happen again.
>=20
> A recompiled 2.2.5-3 on current sid exhibit the same behavior.
>=20
> I suspect some library issue.

Yes, that looks like an SSL error due to incompatibilies with the libraries.

> What i find strange: ldd of the working (2.2.5-2) daemon shows that
> it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the

Strange, my working 2.2.5-2 daemon says:
~$ ldd /usr/sbin/nessusd |grep ssl
        libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x40115000)

> non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.

No, it's the other way around:

$ ldd debian/security/nessus/packages/nessus-core-2.2.5/debian/nessusd/usr/=
sbin/nessusd
|grep ssl
        libssl.so.0.9.8 =3D> /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
        libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)

And the client (2.2.5-2) says
$ ldd /usr/bin/nessus |grep ssl
        libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x400e1000)

I guess recompiling the nessusd package should fix this issue. Will look in=
to
it.

> This is kind of important as there does not seem to be a possibility
> to legally use nessus built from Debian with a registered plugin feed
> at the moment.

Er, this is completely unrelated (and not true). See
/usr/share/doc/nessus-plugins/README.rebuild.Debian

Regards

Javier

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoaXBsandgtyBSwkRAnxqAJ0Yhf6pn0nONJEDDiM+EqiRJT3GLwCeLiKJ
Rg9EqJHROagAu7Q/33QsBOo=
=0Cyl
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 18:44:18 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

On Thu, Dec 15, 2005 at 06:20:01PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 05:17:36PM +0100, Marc Haber wrote:
> > A recompiled 2.2.5-3 on current sid exhibit the same behavior.
> >
> > I suspect some library issue.
>
> Yes, that looks like an SSL error due to incompatibilies with the libraries.
>
> > What i find strange: ldd of the working (2.2.5-2) daemon shows that
> > it's linked to both libssl.so.0.9.8 and libssl.so.0.9.7, while the
>
> Strange, my working 2.2.5-2 daemon says:
> ~$ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x40115000)
>
> > non-working (3.2.5-3) daemon is only linked against libssl.so.0.9.7.
>
> No, it's the other way around:
>
> $ ldd debian/security/nessus/packages/nessus-core-2.2.5/debian/nessusd/usr/sbin/nessusd
> |grep ssl
> libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
> libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)

NACK.

[2/68]mh@scyw00225[chroot sid]:~$ dpkg --list nessusd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii nessusd 2.2.5-3 Remote network security auditor, the server
[3/69]mh@scyw00225[chroot sid]:~$ ldd /usr/sbin/nessusd | grep ssl
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7ea9000)
[6/72]mh@scyw00225[chroot sid]:~$ sudo aptitude install nessusd/unstable
<snip>
[7/73]mh@scyw00225[chroot sid]:~$ dpkg --list nessusd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
ii nessusd 2.2.5-2 Remote network security auditor, the server
[8/74]mh@scyw00225[chroot sid]:~$ ldd /usr/sbin/nessusd | grep ssl
        libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0xb7dd9000)
        libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0xb7b4e000)

> And the client (2.2.5-2) says
> $ ldd /usr/bin/nessus |grep ssl
> libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x400e1000)

Confirmed.

> I guess recompiling the nessusd package should fix this issue.

Not on current sid, already tried that:
[13/79]mh@scyw00225[chroot sid]:~$ dpkg --list nessusd
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-=======...

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 19:00:05 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > libssl.so.0.9.8 =3D> /usr/lib/i686/cmov/libssl.so.0.9.8 (0x4011=
5000)
> > libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b=
4000)
>=20
> NACK.

Err... Is this i386 or some other arch?
Those are *not* the binaries I built yesterday.

> > I guess recompiling the nessusd package should fix this issue.
>=20
> Not on current sid, already tried that:

You need to recompile both nessus-core and the client for that to work I
guess.
> >=20
> > Er, this is completely unrelated (and not true). See
> > /usr/share/doc/nessus-plugins/README.rebuild.Debian
                   ^^^^^^^^^^^^^^
>=20
> Ah. I have been looking for that readme inside the nessus or
> nessusd packages.

As you can see , it's in the -plugins package.

> Btw, the nessus_2.2.5.orig.tar.gz differs from
> what's downloadeable from the nessus web site. Additionally, following
> this procedure produces a non-working nessusd package on current sid.

Hmm...:

$ cat MD5.2.2.5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MD5 (libnasl-2.2.5.tar.gz) =3D da1d96493714c34ae7ffbc1907b5bbcd
MD5 (nessus-core-2.2.5.tar.gz) =3D 282de0aa80a5c85aeab12bf556933694
MD5 (nessus-libraries-2.2.5.tar.gz) =3D a26a31ee7d8e82511e4ba3954ab1db24
MD5 (nessus-plugins-GPL-2.2.5.tar.gz) =3D 4b2710dfb7d7957145b6f101edfba7a7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFC4R1C8JEETRRZWhoRAsN2AKCIOln0U5RPI8Zt83XZVidxShBiIwCgu17s
iGPZcIjuBrzaMJLpwYz8ew0=3D
=3DwPZC
-----END PGP SIGNATURE-----
$ md5sum nessus-core_2.2.5.orig.tar.gz
282de0aa80a5c85aeab12bf556933694 nessus-core_2.2.5.orig.tar.gz

Either you did not check properly or the file in nessus.org has changed. The
Md5 file above was signed by Renaud Deraison (key Id 14595A1A).

Regards

Javier

--ZGiS0Q5IWpPtfppv
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDoa8lsandgtyBSwkRAoHfAJ0XJVEvsoP+zRoSkkNVbmpv2bHpjACff6IL
BFGlC2a86fz/OM/xYyhyHC8=
=VSS1
-----END PGP SIGNATURE-----

--ZGiS0Q5IWpPtfppv--

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 19:18:04 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

On Thu, Dec 15, 2005 at 07:00:05PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 06:44:18PM +0100, Marc Haber wrote:
> > > libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
> > > libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)
> >
> > NACK.
>
>
> Err... Is this i386 or some other arch?
> Those are *not* the binaries I built yesterday.

This is i386, pulled from Debian incoming.

[2/83]mh@scyw00225[chroot sid]:~$ md5sum nessusd_2.2.5-3_i386.deb
5540b1f4dfd81c4ba3c71ac4e2dbecfa nessusd_2.2.5-3_i386.deb
[3/84]mh@scyw00225[chroot sid]:~$

> > > I guess recompiling the nessusd package should fix this issue.
> >
> > Not on current sid, already tried that:
>
> You need to recompile both nessus-core and the client for that to work I
> guess.

nessus-core builds the client as well:
[5/86]mh@scyw00225[chroot sid]:~$ dpkg --info nessus_2.2.5-3_i386.deb | grep 'Source'
 Source: nessus-core
[6/87]mh@scyw00225[chroot sid]:~$

The issue is, however, with the daemon. 2.2.5-2 works with all clients
I tried, and 2.2.5-3 fails with all clients I tried.

> > > Er, this is completely unrelated (and not true). See
> > > /usr/share/doc/nessus-plugins/README.rebuild.Debian
> ^^^^^^^^^^^^^^
> >
> > Ah. I have been looking for that readme inside the nessus or
> > nessusd packages.
>
> As you can see , it's in the -plugins package.

Yes. Not where I would look for it.

> > Btw, the nessus_2.2.5.orig.tar.gz differs from
> > what's downloadeable from the nessus web site. Additionally, following
> > this procedure produces a non-working nessusd package on current sid.
>
> Hmm...:
>
> $ cat MD5.2.2.5
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> MD5 (libnasl-2.2.5.tar.gz) = da1d96493714c34ae7ffbc1907b5bbcd
> MD5 (nessus-core-2.2.5.tar.gz) = 282de0aa80a5c85aeab12bf556933694
> MD5 (nessus-libraries-2.2.5.tar.gz) = a26a31ee7d8e82511e4ba3954ab1db24
> MD5 (nessus-plugins-GPL-2.2.5.tar.gz) = 4b2710dfb7d7957145b6f101edfba7a7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (Darwin)
>
> iD8DBQFC4R1C8JEETRRZWhoRAsN2AKCIOln0U5RPI8Zt83XZVidxShBiIwCgu17s
> iGPZcIjuBrzaMJLpwYz8ew0=
> =wPZC
> -----END PGP SIGNATURE-----
> $ md5sum nessus-core_2.2.5.orig.tar.gz
> 282de0aa80a5c85aeab12bf556933694 nessus-core_2.2.5.orig.tar.gz
>
> Either you did not check properly or the file in nessus.org has changed. The
> Md5 file above was signed by Renaud Deraison (key Id 14595A1A).

I did not check properly. I inadvertently downloaded and checked
nessus-plugins instead of nessus-core.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 22:17:13 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Marc Haber <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> [2/83]mh@scyw00225[chroot sid]:~$ md5sum nessusd_2.2.5-3_i386.deb
> 5540b1f4dfd81c4ba3c71ac4e2dbecfa nessusd_2.2.5-3_i386.deb
> [3/84]mh@scyw00225[chroot sid]:~$

That is correct, however, with that one, as I said:

$ ldd /usr/sbin/nessusd |grep ssl =20
 libssl.so.0.9.8 =3D> /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
        libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)

And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
sure you are using the same Nessus daemon provided by the package, have you
restarted it?

Could you show me the output of 'dpkg -l "*libssl*"'

In my system it shows:

ii libssl-dev 0.9.8a-4 SSL development libraries, header files a=
nd
ii libssl0.9.6 0.9.6m-1 SSL shared libraries (old version)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-4 SSL shared libraries

Maybe it is *not* failing in my system because libssl0.9.7 is installed even
though there is not a declared dependency for it in the Nessusd package (it
says libssl0.9.8 (>=3D 0.9.8a-1), it *is* there for the nessus-plugins pack=
age
though so if you do the typical installation (nessusd, nessus and
nessus-plugins) it works.

In any case, if you *don't* have libssl0.9.7 the Nessusd (2.2.5-3) would
complain:

$ sudo /etc/init.d/nessusd start Starting Nessus daemon: /usr/sbin/nessusd:
error while loading shared libraries: libssl.so.0.9.7: cannot open shared
object file: No such file or directory

ERROR.

Can you please send me a full list of the nessus packages installed and the
output of ldd for those?

> The issue is, however, with the daemon. 2.2.5-2 works with all clients
> I tried, and 2.2.5-3 fails with all clients I tried.

Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
2.2.5-2. There are two problems here:

- binary linked against both libssl versions (see=20
  http://lists.debian.org/debian-release/2005/10/msg00125.html)
- Undeclared dependencies, but that is another (different) issue.

If you want me to get access to the chroot to diagnose, feel free to send me
access through private e-mail. In any case I'm going to recompile it so that
it *only* links against the latest openssl version (might require relinking
of all nessus packages though)

Regards

Javier

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDod1ZsandgtyBSwkRAmC2AJ97c9PwsieuWRfve6PaBD8se14iTACfVQq+
xJcyTNwHTIe8locgcwS/vK0=
=uuAv
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--

Message-ID: <email address hidden>
Date: Thu, 15 Dec 2005 22:40:27 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

On Thu, Dec 15, 2005 at 10:17:13PM +0100, Javier Fern�ez-Sanguino Pe�rote:
> On Thu, Dec 15, 2005 at 07:18:04PM +0100, Marc Haber wrote:
> > [2/83]mh@scyw00225[chroot sid]:~$ md5sum nessusd_2.2.5-3_i386.deb
> > 5540b1f4dfd81c4ba3c71ac4e2dbecfa nessusd_2.2.5-3_i386.deb
> > [3/84]mh@scyw00225[chroot sid]:~$
>
> That is correct, however, with that one, as I said:
>
> $ ldd /usr/sbin/nessusd |grep ssl
> libssl.so.0.9.8 => /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
> libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)
>
> And that one *works* with my Nessus client (2.2.5-2), I just tried. Are you
> sure you are using the same Nessus daemon provided by the package, have you
> restarted it?

I have stopped it, verified that there was no daemon listening on the
nessus port, and used the init script to start it again.

> Could you show me the output of 'dpkg -l "*libssl*"'

[1/87]mh@scyw00225[chroot sid]:~$ dpkg --list '*libssl*'
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
un libssl <none> (no description available)
pn libssl0.9.6 <none> (no description available)
ii libssl0.9.7 0.9.7g-5 SSL shared libraries
ii libssl0.9.8 0.9.8a-5 SSL shared libraries
un libssl096 <none> (no description available)
un libssl096-dev <none> (no description available)
[2/88]mh@scyw00225[chroot sid]:~$

> Can you please send me a full list of the nessus packages installed and the
> output of ldd for those?

which packages, which binaries?

> > The issue is, however, with the daemon. 2.2.5-2 works with all clients
> > I tried, and 2.2.5-3 fails with all clients I tried.
>
> Not for me, just tested and works fine with nessusd 2.2.5-3 and nessus
> 2.2.5-2. There are two problems here:
>
> - binary linked against both libssl versions (see
> http://lists.debian.org/debian-release/2005/10/msg00125.html)
> - Undeclared dependencies, but that is another (different) issue.
>
> If you want me to get access to the chroot to diagnose, feel free to send me
> access through private e-mail. In any case I'm going to recompile it so that
> it *only* links against the latest openssl version (might require relinking
> of all nessus packages though)

I'm going to prepare a test system tomorrow. Can you send me your ssh
public key?

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835

Message-ID: <email address hidden>
Date: Mon, 19 Dec 2005 10:05:12 +0100
From: Hadmut Danisch <email address hidden>
To: <email address hidden>
Subject: openssl problem

Hi,

I just ran into the same problem. As far as I can see the problem is
the libnasl2 package.

# strings - /usr/lib/libnasl.so.2 | fgrep libssl
libssl.so.0.9.7

# ldd /usr/lib/libnasl.so.2
        libnessus.so.2 => /usr/lib/libnessus.so.2 (0x40040000)
        libhosts_gatherer.so.2 => /usr/lib/libhosts_gatherer.so.2
        (0x400ad000)
        libpcap-nessus.so.2 => /usr/lib/libpcap-nessus.so.2
        (0x400b2000)
        libutil.so.1 => /lib/libutil.so.1 (0x400c3000)
        libnsl.so.1 => /lib/libnsl.so.1 (0x400c7000)
        libresolv.so.2 => /lib/libresolv.so.2 (0x400db000)
        libssl.so.0.9.7 => /usr/lib/i686/cmov/libssl.so.0.9.7
        (0x400ee000)
        libcrypto.so.0.9.7 => /usr/lib/i686/cmov/libcrypto.so.0.9.7
        (0x4011f000)
        libdl.so.2 => /lib/libdl.so.2 (0x4021d000)
        libc.so.6 => /lib/libc.so.6 (0x40221000)
        /lib/ld-linux.so.2 (0x80000000)

It loads the libssl.so.0.9.7

You *need* to recompile the libnasl2 package synchronously with the
nessus packages!

After recompiling this single package, I still have the bad record mac
problem, but it solves at least the double library load.

regards
Hadmut

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 10:57:42 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--dTy3Mrz/UPE2dbVg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

severity 343487 grave
tags 343487 pending confirmed sid etch
reassign 343487 nessus
thanks

After debugging this issue in a system that Marc Haber set up for testing
I've found two different issues, one is a misconfiguration, the other is a
problem with the nessus package (the client)

- localhost was not allowed access to nessusd due to tcp wrappers
  configuration (common mistake). Error message:
  [ client ]
  [8305] SSL_connect: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 ale=
rt
  bad record mac
  nessus : SSL error
  [ server ]
  [Wed Dec 28 10:46:08 2005][7608] Connection from 127.0.0.1 rejected by
  libwrap

- (fixing the above) the nessus client was not able to connect to the server
  error . Error message:
  [ client ]=20
  [8305] SSL_connect: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 ale=
rt
  bad record mac
  nessus : SSL error
  [ none at server ]

I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.

The issue should be fixed by recompiling the client against a set of the
libraries, and should affect only the 2.2.5-3 version under i386. Notice,
also that the package has an undeclared dependency on libssl0.9.7 (the bina=
ry
is linked against that one).

I will try to rebuild it in a clean environment and see if I can get rid of
the libssl0.9.7 dependencies that way. Other nessus-related packages (libna=
sl
and nessus-plugins) might need to be recompiled too.

Regards

Javier

--dTy3Mrz/UPE2dbVg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDsmGWsandgtyBSwkRAmDYAJ9GfDTjPYTE+SW+oEbhI7HuzI/CYQCfZORg
OXiqSG5HBkxMtjQikm7DdiY=
=DJ0G
-----END PGP SIGNATURE-----

--dTy3Mrz/UPE2dbVg--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 02:16:26 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--0z5c7mBtSy1wdr4F
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> After debugging this issue in a system that Marc Haber set up for testing
> I've found two different issues, one is a misconfiguration, the other is a
> problem with the nessus package (the client)

> - (fixing the above) the nessus client was not able to connect to the ser=
ver
> error . Error message:
> [ client ]=20
> [8305] SSL_connect: error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 a=
lert
> bad record mac
> nessus : SSL error
> [ none at server ]

> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.

> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the bi=
nary
> is linked against that one).

Why do you say that?

$ dpkg -x n/nessus-core/nessus_2.2.5-3_i386.deb /tmp/nessus
$ ldd /tmp/nessus/usr/bin/nessus |grep ssl
        libssl.so.0.9.8 =3D> not found
$

I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--0z5c7mBtSy1wdr4F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDsmX6KN6ufymYLloRAlpfAKCRxusaEioHiYK6LMMsruhKlr096gCdG+rI
YnauyLGdcR/0K46IvW6xOVg=
=loIg
-----END PGP SIGNATURE-----

--0z5c7mBtSy1wdr4F--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 11:31:11 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--a8Wt8u1KmwUX3Y2C
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > The issue should be fixed by recompiling the client against a set of the
> > libraries, and should affect only the 2.2.5-3 version under i386. Notic=
e,
> > also that the package has an undeclared dependency on libssl0.9.7 (the =
binary
> > is linked against that one).
>=20
> Why do you say that?
>=20
> $ dpkg -x n/nessus-core/nessus_2.2.5-3_i386.deb /tmp/nessus
> $ ldd /tmp/nessus/usr/bin/nessus |grep ssl
> libssl.so.0.9.8 =3D> not found
> $
>=20
> I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.

Sorry, my mistake:

* nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
0.9.8
* nessusd 2.2.5-2, the server, is only linked against 0.9.7

* nessus 2.2.5-3, the client, is only linked against 0.9.8.
* nessus 2.2.5-2, the client, is only linked against 0.9.7

The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
client does not work against any of the servers. It's the server that has an
undeclared dependency (because it's linked against 0.9.7 but depends on just
libssl0.9.8 (>=3D 0.9.8a-1)). A known fix is to have nessus, the server and
client, link against just 0.9.7 (since it's known to work). Moving to 0.9.8
might require a recompile of other nessus related packages (nasl and
nessus-plugins) in order for all of that to work out, it might be another
(better?) option.

Hopefully that clears it up.

Regards

Javier

--a8Wt8u1KmwUX3Y2C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDsmlvsandgtyBSwkRApplAJ9uSm2N107tAhVxd6/hGav+T9HSTgCfYs5p
EeSzkOvyhf0iIbqizD5qHQk=
=7mNf
-----END PGP SIGNATURE-----

--a8Wt8u1KmwUX3Y2C--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 02:54:17 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--bgQAstJ9X1Eg13Dy
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> On Wed, Dec 28, 2005 at 02:16:26AM -0800, Steve Langasek wrote:
> > > The issue should be fixed by recompiling the client against a set of =
the
> > > libraries, and should affect only the 2.2.5-3 version under i386. Not=
ice,
> > > also that the package has an undeclared dependency on libssl0.9.7 (th=
e binary
> > > is linked against that one).

> > Why do you say that?

> > $ dpkg -x n/nessus-core/nessus_2.2.5-3_i386.deb /tmp/nessus
> > $ ldd /tmp/nessus/usr/bin/nessus |grep ssl
> > libssl.so.0.9.8 =3D> not found
> > $

> > I don't see any reason to think that 2.2.5-3 is linked against 0.9.7.

> Sorry, my mistake:

> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8

Ok, I don't see this either:

$ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl
        libssl.so.0.9.8 =3D> not found
$

:)

Could you please explain why you believe nessusd is linked against both
versions of the library? To me, this bug looks like it's just an instance
of #338006.

> The 2.2.5-2 client works with the 2.2.5-3 and 2.2.5-2 server. The 2.2.5-3
> client does not work against any of the servers. It's the server that has=
 an
> undeclared dependency (because it's linked against 0.9.7 but depends on j=
ust
> libssl0.9.8 (>=3D 0.9.8a-1)). A known fix is to have nessus, the server a=
nd
> client, link against just 0.9.7 (since it's known to work).

Well, that fix is not available to us, since there is no -dev package left
for openssl0.9.7.

> Moving to 0.9.8 might require a recompile of other nessus related packages
> (nasl and nessus-plugins) in order for all of that to work out, it might
> be another (better?) option.

Or the only option :)

Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--bgQAstJ9X1Eg13Dy
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDsm7ZKN6ufymYLloRAnNzAKDFBVq/e/ydsMvEmYHdFzkLHCEYFQCgl9ty
bpimQdlCexZTViW8MScAryg=
=9+35
-----END PGP SIGNATURE-----

--bgQAstJ9X1Eg13Dy--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 11:59:14 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
>=20
> * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> 0.9.8

Just found out why this happened. The Nessus server gets compile against
both versions since libnasl depends on 0.9.7, I did not notice this:

in the build process
gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferences=
=2Eo piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.=
o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.=
o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd =
`/usr/bin/nasl-config --libs` `/usr/bin/nessus-config --libs` -ldl -lwr=
ap=20
/usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/libnasl.so, may c=
onflict with lib ssl.so.0.9.8=20
/usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/libnasl.so, ma=
y conflict with libcrypto.so.0.9.8

Since there is no libssl097-dev any longer I guess I'll have to recompile a=
ll
packages. Did I miss some mail to d-d-a about the OpenSSL transition?

Regards

Javier

--UugvWAfsgieZRqgk
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDsnACsandgtyBSwkRApH3AJ9FfM+pZcmKpxTTnuj7GL3hV8w+UACeLPtU
8xVV7op8aD6KpYe3GXbdUvE=
=xA7l
-----END PGP SIGNATURE-----

--UugvWAfsgieZRqgk--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 03:12:44 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--q6mBvMCt6oafMx9a
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 11:59:14AM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> On Wed, Dec 28, 2005 at 11:31:11AM +0100, Javier Fern=E1ndez-Sanguino Pe=
=F1a wrote:
> >=20
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8

> Just found out why this happened. The Nessus server gets compile against
> both versions since libnasl depends on 0.9.7, I did not notice this:

Aha, so it does.

> in the build process
> gcc `sh ./cflags` auth.o attack.o comm.o log.o rules.o sighand.o
> processes.o users.o util s.o ntp_10.o ntp_11.o parser.o hosts.o preferenc=
es.o piic.o pluginload.o nasl_plugins.o nes _plugins.o plugs_req.o nessusd.=
o save_tests.o save_kb.o detached.o pluginlaunch.o locks.o d irutils.o md5.=
o plugs_hash.o pluginupload.o pluginscheduler.o shared_socket.o -o nessusd =
`/usr/bin/nasl-config --libs` `/usr/bin/nessus-config --libs` -ldl -lwr=
ap=20
> /usr/bin/ld: warning: libssl.so.0.9.7, needed by /usr/lib/libnasl.so, may=
 conflict with lib ssl.so.0.9.8=20
> /usr/bin/ld: warning: libcrypto.so.0.9.7, needed by /usr/lib/libnasl.so, =
may conflict with libcrypto.so.0.9.8

> Since there is no libssl097-dev any longer I guess I'll have to recompile=
 all
> packages.

It should actually be possible to fix this with binNMUs on the autobuilders,
I think. I'll go ahead and queue those now.

> Did I miss some mail to d-d-a about the OpenSSL transition?

No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
exists, and libssl-dev was moved to version 0.9.8, this was expected to be a
rather "soft" transition; and it has been, except for the aforementioned bug
in libssl0.9.8 giving the "bad mac" error.

Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
here, AFAICT.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--q6mBvMCt6oafMx9a
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDsnMsKN6ufymYLloRAt1IAJkBiTY0mqXmoc83s8ssZklvjAqAZACgng53
dNX3YUEUnMrjtM85v32v3rA=
=KG7s
-----END PGP SIGNATURE-----

--q6mBvMCt6oafMx9a--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 12:30:53 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--W/nzBZO5zC0uMSeA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:
>=20
> > Since there is no libssl097-dev any longer I guess I'll have to recompi=
le all
> > packages.
>=20
> It should actually be possible to fix this with binNMUs on the autobuilde=
rs,
> I think. I'll go ahead and queue those now.

Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've just
recompiled all packages (libnasl, nessus-plugins and nessus-core) to try to
get it working and I still get this:

[19131] SSL_connect: error:1408F455:SSL routines:SSL3_GET_RECORD:decryption
failed or bad record mac
nessus : SSL error

When trying to connect the nessus client against the server (all using
0.9.8). This seems to have happened to people using nessus in Debian or Mac
OS X and building Nessus from sources with OpenSSL 0.9.8
See:

http://mail.nessus.org/pipermail/nessus/2005-November/msg00206.html
http://mail.nessus.org/pipermail/nessus/2005-November/msg00013.html
http://archives.free.net.ph/message/20051212.082941.2fe85e3f.en.html
http://mail.nessus.org/pipermail/nessus/2005-October/msg00297.html

It seems it is only fixed when using openssl 0.9.7:
http://mail.nessus.org/pipermail/nessus/2005-November/msg00213.html

> > Did I miss some mail to d-d-a about the OpenSSL transition?
>=20
> No, there hasn't been any mail to d-d-a about it. Since libssl0.9.7 still
> exists, and libssl-dev was moved to version 0.9.8, this was expected to b=
e a
> rather "soft" transition; and it has been, except for the aforementioned =
bug
> in libssl0.9.8 giving the "bad mac" error.

Well, the above error might be an issue with 0.9.8 which might not make this
transition smooth for Nessus. I'm not sure if this is a Nessus or an OpenS=
SL
issue. The same error message seems to have appeared in OpenSSL's discussion
list in the past (but not recently)

> Anyway, rebuilding libnasl2 against libssl0.9.8 won't make anything worse
> here, AFAICT.

Yes, but it seems that it's a no go, as it will not work (just tested).

Regards

Javier

--W/nzBZO5zC0uMSeA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDsndtsandgtyBSwkRAnVAAJ9AMi8nWpQOy7YG5vTinT9981NhGACeJzge
Y1aJoXY2TNFn0iEbIdpWKuU=
=1FVg
-----END PGP SIGNATURE-----

--W/nzBZO5zC0uMSeA--

Message-ID: <email address hidden>
Date: Wed, 28 Dec 2005 12:47:48 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Steve Langasek <email address hidden>, <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--kfjH4zxOES6UT95V
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:
>=20
> > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > 0.9.8
>=20
> Ok, I don't see this either:
>=20
> $ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl
> libssl.so.0.9.8 =3D> not found
> $

Funny, it seems that ldd output varies _if_ you have this:

$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-2 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-2 Remote network security auditor, the clie=
nt
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the serv=
er
$ ldd /usr/sbin/nessusd |grep ssl
 libssl.so.0.9.8 =3D> /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40115000)
 libssl.so.0.9.7 =3D> /usr/lib/i686/cmov/libssl.so.0.9.7 (0x403b4000)

However, if you have this:
$ dpkg -l "ness*" "*nasl*" |grep ^ii
ii libnasl2 2.2.5-3 Nessus Attack Scripting Language, shared
lib
ii nessus 2.2.5-3 Remote network security auditor, the clie=
nt
ii nessus-plugins 2.2.5-2 Nessus plugins
ii nessusd 2.2.5-3 Remote network security auditor, the serv=
er

(libnasl 2.2.5-3 is the version I was preparing which compiles against
libssl.so.0.9.8, it's not in the archive)

Then you get this:
$ ldd /usr/sbin/nessusd |grep ssl
      libssl.so.0.9.8 =3D> /usr/lib/i686/cmov/libssl.so.0.9.8 (0x40116000)

So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
not "see" nessusd linking against both. For archs that have compiled libnasl
aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
least, since the packages for i386 were compiled in August by me. Which was
previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).

> Could you please explain why you believe nessusd is linked against both
> versions of the library?=20

As said above and easily reproducible. Just install a libnasl2 which has be=
en
compiled aginast 0.9.7.

> To me, this bug looks like it's just an instance
> of #338006.

Indeed, it looks like this might be the end issue. Is it a good idea to for=
ce
everyone to use a buggy library? Wouldn't it make sense to provide a
libssl097-dev to prevent breakage for those packages that get bitten by this
bug?

Regards

Javier

--kfjH4zxOES6UT95V
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDsntksandgtyBSwkRAhsWAJsEgellR4twsRO6EYQCiyaxW4tK5QCghQtP
qDY7GP17T4KGuO5egn6Xme0=
=TtVa
-----END PGP SIGNATURE-----

--kfjH4zxOES6UT95V--

Message-ID: <email address hidden>
Date: Thu, 29 Dec 2005 11:17:41 +0100
From: Marc Haber <email address hidden>
To: <email address hidden>
Cc: Marc Haber <email address hidden>
Subject: Re: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

On Wed, Dec 28, 2005 at 10:57:42AM +0100, Javier Fern�ez-Sanguino Pe�rote:
> severity 343487 grave
> tags 343487 pending confirmed sid etch
> reassign 343487 nessus
> thanks
>
> I downgraded the nessus client version to 2.2.5-2 (which is *not* compiled
> against both 0.9.7 and 0.9.8 SSL libraries) and it worked fine.
>
> The issue should be fixed by recompiling the client against a set of the
> libraries, and should affect only the 2.2.5-3 version under i386. Notice,
> also that the package has an undeclared dependency on libssl0.9.7 (the binary
> is linked against that one).
>
> I will try to rebuild it in a clean environment and see if I can get rid of
> the libssl0.9.7 dependencies that way. Other nessus-related packages (libnasl
> and nessus-plugins) might need to be recompiled too.

After seeing Javier's message on the nessus mailing list
(http://mail.nessus.org/pipermail/nessus/2005-December/msg00244.html,
which points to #338006, which is a bug in openssl 0.9.8), I tried
rebuilding nessus and nessusd in a clean sid chroot with only openssl
0.9.7 installed, as Javier suggested doing.

Because of Hadmut's message in this bug, I rebuild libnasl as well.

The resulting packages naturally only depend on libssl0.9.7, and seem
to work fine. This might be a workaround.

The re-built packages for sid are available on
http://zg.debian.zugschlus.de/zg/pool/main/libnasl and
http://zg.debian.zugschlus.de/zg/pool/main/nessus-core

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835

Message-ID: <email address hidden>
Date: Thu, 29 Dec 2005 12:46:44 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: Marc Haber <email address hidden>, <email address hidden>,
 Steve Langasek <email address hidden>
Subject: Re: Bug#343487: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Thu, Dec 29, 2005 at 11:17:41AM +0100, Marc Haber wrote:
> The resulting packages naturally only depend on libssl0.9.7, and seem
> to work fine. This might be a workaround.

Great, yes, this is a workaround. Unfortunately it's a *local* workaround.
Even if I can generate i386 packages compiled for libssl0.9.7 if I send them
to the queue they will get built by the autobuilders with libssl-dev which
means !i386 will depend on libssl0.9.8.

Steve, what do you think is the best way to proceed here? Should we wait for
the bug to be fixed in OpenSSL or try to convince openssl developers to
provide a libssl097-dev so that I could change Nessus build dependencies
to it and make it use 0.9.7 until the OpenSSL bug is fixed? Or should I
upload i386 packages built against 0.9.7 so (at least) i386 users can have a
working Nessus client?

Regards

Javier

--ReaqsoxgOBHFXBhH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDs8yksandgtyBSwkRAv4FAJ9rag/McEZkT1wD8bKMZTItfKIyRgCeIKkK
RjDWBtKm9khAEQIgHDW89eY=
=X/SQ
-----END PGP SIGNATURE-----

--ReaqsoxgOBHFXBhH--

Message-ID: <email address hidden>
Date: Fri, 30 Dec 2005 21:17:05 -0800
From: Steve Langasek <email address hidden>
To: <email address hidden>, Marc Haber <email address hidden>
Subject: Re: Bug#343487: nessusd: cannot connect to 2.2.5-3 server

--0ntfKIWw70PvrIHh
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Dec 28, 2005 at 12:30:53PM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> On Wed, Dec 28, 2005 at 03:12:44AM -0800, Steve Langasek wrote:

> > > Since there is no libssl097-dev any longer I guess I'll have to recom=
pile all
> > > packages.

> > It should actually be possible to fix this with binNMUs on the autobuil=
ders,
> > I think. I'll go ahead and queue those now.

> Please don't. The libssl 0.9.8 does *not* work when using Nessus, I've ju=
st
> recompiled all packages (libnasl, nessus-plugins and nessus-core) to try =
to
> get it working and I still get this:

Already done, though; as I said, it doesn't make things any *worse*, and
this is an RC bug in libssl0.9.8 that needs to be fixed. Having libnasl
stay linked against libssl0.9.7, and then accidentally get broken in a
security reupload, wouldn't be good either, so we might as well have
binaries in the archive that correspond to the current sources.

On Wed, Dec 28, 2005 at 12:47:48PM +0100, Javier Fern=E1ndez-Sanguino Pe=F1=
a wrote:
> On Wed, Dec 28, 2005 at 02:54:17AM -0800, Steve Langasek wrote:

> > > * nessusd 2.2.5-3, the server, is linked against both 0.9.7 and
> > > 0.9.8

> > Ok, I don't see this either:

> > $ ldd /tmp/nessus/usr/sbin/nessusd|grep ssl
> > libssl.so.0.9.8 =3D> not found
> > $

> Funny, it seems that ldd output varies _if_ you have this:

Right... the problem with ldd is that it recurses library dependencies, so
it doesn't really tell you where the problem lies. :)

> So, for archs that have compiled libnasl2 against libssl.so.0.9.8 you will
> not "see" nessusd linking against both. For archs that have compiled libn=
asl
> aginast libssl.so.0.9.7 you will see that. Tthose archs include i386 at
> least, since the packages for i386 were compiled in August by me. Which w=
as
> previous to the switch of 0.9.7 to 0.9.8 in libssl-dev (in October).

It was actually the case on all architectures, fwiw.

> > To me, this bug looks like it's just an instance
> > of #338006.

> Indeed, it looks like this might be the end issue. Is it a good idea to f=
orce
> everyone to use a buggy library? Wouldn't it make sense to provide a
> libssl097-dev to prevent breakage for those packages that get bitten by t=
his
> bug?

As mentioned, the bug in libssl0.9.8 *is* RC; and I don't think we're going
to be reverting all of these packages to remove libssl0.9.8 from etch; so I
believe it's better to focus on fixing openssl instead of trying to work
around it.

In the meantime, I guess I would have to recommend that users who need
nessus use the version from stable.

--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> ...

Message-ID: <email address hidden>
Date: Sat, 31 Dec 2005 11:22:05 +0100
From: Javier =?iso-8859-1?Q?Fern=E1ndez-Sanguino_Pe=F1a?= <email address hidden>
To: <email address hidden>
Subject: 343487 is not pending

--U+BazGySraz5kW0T
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

tags 343487 - pending
thanks

This bug has to wait until #338006 is fixed.

Javier

--U+BazGySraz5kW0T
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDtlvNsandgtyBSwkRAtwmAJ0faahW6FzlxWWx75gGIPqnK2r9cQCeJSU/
yqyEWhVEZz7b5EPcuvHJasA=
=JAQx
-----END PGP SIGNATURE-----

--U+BazGySraz5kW0T--

Latest in Dapper is free of this bug. Closing.