Greenbone OS: Current
Releases under development are listed here: Roadmap.
Releases beyond status End-of-Life are listed here: Old Releases.
Please read in our Learning Center about how to execute a upgrade and what to consider for this.
2015-01-26: Greenbone OS 3.1
Latest patch level: 3.1.6 (2015-01-26)
The items marked with (*) will change the default behaviour.
New: Dynamic charts "bar-chart", "donut" "lines" and "bubbles" for SecInfo Management of the web interface. For each object types, two chart types can be selected. Each chart can be detached into a window of its own, the underlying data can be exported in CSV format or opened as HTML table, the SVG representation can be opened in the browser or be exported.
New: Dashboard overview for SecInfo Management of the web interface. It consists of 4 charts which can each be individually selected by type and combined with a powerfilter. The configuration is persistent for each user.
New: Dynamic diagrams for tasks analog to SecInfo Management.
New section "Results" under menu "Scan Management". This section offers a object management for all of the scan results in the database a user has permission for. In other words, searching and filtering for results is now possible independent of a scan report.
New: SecInfo object type "CERT-Bund" which are the advisories published by the German federal CERT.
New: Attribute "Solution Type" for NVTs and results.
New: Bulk actions for example to remove or download many objects within a single action.
New: Configuration type "Scanner" allows to configure additional scanners of type OpenVAS (the default and pre-configured one) or OSP-based scanners. OSP stands for OpenVAS Scanner Protocol which can be used to wrap up arbitrary scanners with a generic interface to be handled generically for the vulnerability management.
The task management is extended with scanner-type dependent alternatives.
These features prepare the integration of OSP scanners. Any default settings and behaviour remains like in the previous Greenbone OS release. OSP is entirely optional.
New: Option for anonymous guest access. Apart from the new role "Guest" which is similar to role "Info" allowing access only to the SecInfo section, there is now the opportunity in gos-admin-menu to enable access for guests. This makes it also possible to use static URLs to link into certain views in the SecInfo section.
New: Role "Monitor" that allows access to the performance data of the GSM.
New: Role "Super Admin" that allows access to all objects of all users.
New: Permissions "Super" that for exmple allows to create Group Administrators.
New: The filenames for Downloads can now be configured via "My Settings".
New: Wizard for modifying a task.
GXR/GSR: These report format plugins were re-worked. Especially GSR was changed to have less pages for the same content and to get created faster.
Tasks: The dialog for setting permissions is re-worked.
Timezones: The configuration of timezones was changed so that now there is offered a drop down list of available timezones instead of a entry field for specifying the timezone in text form.
(*) Users are now allowed to have multiple simultaneous sessions, as long as the sessions are on different browsers. Upto GOS 3.0, a second session always invalidated the previous one regardless of which browser is used.
For any web interface page, the duration of the backend operation will be shown at the bottom.
(*) Credentials: The public key of SSH credentials is not required anymore because it is extracted from the private key.
Credentials/Targets: Credentials for ESXi target systems can now be configured directly with the Target object instead of in the Scan Configuration object.
New: Statistics module at OMP level represented by the command "GET_AGGREGATES" which is also the foundation for charts.
(*) When a task is requested to stop, the scanner will now be advised to switch immediately into the final phase of scanning. With GOS 3.0 the scanner immediately stopped activity and did not return so far collected host details. With GOS 3.1 this is now transferred to the the database.
New internal inter-process communication of scanner.
Memory consumption of scanners reduced by 50%.
(*) Dropped support for pausing of tasks (OMP).
(*) Dropped support of outdated "openvasrc" Format (OMP).
Patch-Level GOS 3.1:
Last release of Beta phase. First release of 3.1.
2014-03-21: Greenbone OS 3.0
Latest patch level: 3.0.33 (2015-02-05)
The items marked with (*) will change the default behaviour.
Versioning: From GOS 3.0 the patch level versions will be indicated by the third part of the version number. For example the tenth patch level will be "3.0.10" instead of "3.0.0-10".
Groups: For access permissions users can now be associated with Groups. The web interface allows full management of these groups for users with Administrator role.
Permissions: Under menu "Configuration" there is now a new item "Permissions". Here the user has an overview on all of his access permissions and opportunities to manage them.
(*) For role "User" the permission is removed to see all other user names. From now on the permission to see other users ("get_users") must be explicitly granted.
This means that you only can access the GUI elements to add or edit observers of your task if you own this permission. This can be granted for example directly for a single user via the administration of users.
(*) Alive-Test (Up-Test, Ping-Test): The type of this test that determines whether a system is active and therefore can be scanned is now adjustable as a property of the object "Target". Which means it can be changed without the need to change Tasks or Scan Configurations. Possible methods are the same as before: ICMP, TCP and ARP.
The default setting for the Alive-Test changes from ICMP&TCP&ARP to just ICMP. Hence it can happen that results change for some of your Tasks because some systems are not regarded as alive anymore. But in most cases where larger IP ranges are scanned the scan duration will significantly drop down. However, you do not need to change a Scan Configuration or Task to get back to the previous state, you just need to adjust the Alive-Test method for the respective Target.
(*) Severity replaces Threat: The concept of Threat Classes is extended to the Severity concept where the severity is not just a class but also contains a specific CVSS value. The CVSS value of a Severity is always the highest occurring CVSS value in the corresponding scan results. This allows a higher granularity in the view and for example improves sorting.
This means comprehensive changes for the whole application:
Task Overview: So far only the Threat level was stored for Tasks. Because old tasks covered results with only threat level and no CVSS level (meanwhile all NVTs are assigned with a CVSS), the migration will use old rules of attaching a threat level and therefore insert the maximum of the respective level. This means that the Severity may show a higher CVSS value than then highest value actually present in the results. But this guarantees that the threat level will remain the same. The following values are therefore applied during the migration: High: 10.0, Medium: 5.0, Low: 2.0. Of course for new scans the exact values as occurring in the results are applied.
Task-Details: For the list of reports of a task the very same changes and migration rule is applied as for the Task Overview.
Notes: The distinction of High, Medium, Low is dropped and the migration will place into one class. This prevents that notes may get invisible when NVTs are updated.
Overrides: The distinction of High, Medium, Low is dropped and the migration will place into one class. This prevents that overrides may not be applied when NVTs are updated.
Furthermore, the New Severity is not anymore just a threat level but rather a CVSS value. Old overrides with just threat level are migrated with the same scheme as the Tasks and Reports (see above).
Tags: The new configuration object class "Tag" allows to attach short texts to almost any other object. These texts are available to filtering and are included in export files. This enables to create thematic groups or attach arbitrary attributes to objects.
Reports: Under menu "Scan Management" there is now an overview on any available scan report, regardless of the relations to a task. The powerfilter is available here as well.
This new view replaces the report list in the task details dialog. Suitable filters are set automatically.
Search interface for all objects of the SecInfo Management: Via new menu item "All SecInfo" it is possible to search for keywords and with other methods of the Powerfilter through almost 300.000 objects of various types.
Web interface is extended with multi-lingual support and translated into German language.
New pre-configure Scan Configuration "Host Discovery". This Scan Configuration simply searches for real systems for the given target addresses. No vulnerability tests are executed. The result is just a list of hosts that are regarded active.
New pre-configure Scan Configuration "System Discovery". This Scan Configuration applies any NVTs that discover operating system types and/or hardware device types. No vulnerability tests are executed. The main result is an overview on the found operating system and devices.
New pre-configure Scan Configuration "Discovery". This Scan Configuration applies any NVTs that discover as many details about the target system, installed services and applications, as possible. No vulnerability tests are executed.
Tasks: New class "Alterable Task" allows to change Target and Scan Config even if there are already reports for this task. This allows to have a playground task not designed to grant consistency between its reports.
Integrated online CVSS calculator: Under menu "Extras/CVSS Calculator" a form is available that supports calculating a CVSS value.
(*) Reports: The browser for the report view was entirely reworked and split up into multiple sections, each with a page of its own. Countless changes and extensions were applied.
Attention: The changes are significant regarding the default view and regarding the powerfilter. Older stored powerfilters for reports may not work anymore and need to be re-created.
(*) Reports: Users can now individually configure the severity class ranges (High, Medium, Low) for the results view.
Attention: The predefined class range is now the one of NIST. Therefore the colors in the view can change for old results and filters may return different results. If you want to switch back to the old behaviour, just enter "My Settings" and select "OpenVAS Classic" for severity classes.
Powerfilter: The powerfilter now offers a expand/collapse functionality in order to offer a regular dialog as equivalent to the content of the filter string. Dialog and filter string are automatically mutually synchronized.
Target: It is now possible to reduce the selected range of target systems via some rules. This includes an exclude list, reduction of double entries via Reverse Lookup and making Reverse Lookup obligatory.
Host access rules: More opportunities to deny or allow scan of host for each users, for example hostnames can now also be applied.
Interface access rules: This new feature allows on the one hand to specify a special interface (like "eth1") for each task. On the other hand it is possible to express rules to allow or deny access to interfaces for each user.
Problems with DNS resolving during scan: Each failed resolving of a target system name is not listed in section "Errors" of the report browser.
Reports: The port information is now extended with the current IANA service name that is registered for this port.
New pre-defined Report Format Plugin "CSV Results": Comma-separated text table of single results.
New pre-defined Report Format Plugin "CSV Hosts": Comma-separated text table of result overview for each target system.
(*) The Scanner preference "silent_dependencies" was removed. It was reducing the number of reported results to only those NVTs that were explicitly selected. This is not necessary anymore because the filtering can now take care of reducing reports. Furthermore, incomplete reports without log information do not offer adequate transparency.
In case you applied Scan Configurations that were using this preference, you will get more (all) results now in new reports.
Note that when using one of the pre-defined Scan Configurations you will see no changes because these were explicitly selecting all the NVTs.
(*) The Scanner preference "host_expansion" was removed. Its purpose was to automatically expand the target hosts. This functionality should not be done by a Scanner, especially because it can lead to unforeseeable expansions.
Using one of the pre-defined Scan Configurations or derived ones, no changes of the behaviour will happen.
(*) The Scanner will not create explicit results for detected ports anymore. These results had no reference to NVTs and were redundant anyway. An overview on the detected ports is already provided by other NVTs as log information. Additionally the new user interface even offers a explicit tabular overview in identified ports as part of the new report browser.
Tasks: It is now possible to configure the order in which the target hosts are scanned: Sequential (like before), reverse and random.
Task Details: The list of reports is now handled via the new object management. This also adds the powerfilter to this page.
Notes/Overrides: The actual note text is now used as identifier in the list instead of the NVT name.
Web-GUI: Consistent access to object details always via identifier in first column. The redundant button for Details is therefore removed from the set of Actions.
User management is made available via OMP.
Feed management is made available via OMP.
Port 80 is automatically redirected to 443. This means that if you enter "http://gsm.example.com" this is automatically changed to "https://gsm.example.com" instead of a failure message of the browser.
OVAL Definitions: The overview as well as the details dialog for OVAL Definitions has been reworked.
Patch-Level GOS 3.0:
Bugfix for Scan Configuration regarding the counter of active NVTs per family. Under certain conditions the number was too high by 1 (#44476).
Bugfix for autorefresh: Under rare conditions the session ticket became invalid, maling it necessary to log in again (#44673).
Consistency fix for alerts: Here the default filter included the element "autofp" while it was not included in the results browser. Now "autofp" was removed from the defaults for alerts (#45083, #2014120310000016).
Improved error message for alerts that failed to execute due to missing report plugins (#43915).
Bugfix for expanded powerfilter: Thecheckbox for overrides was not always visible (#44858).
Bugfix regarding the delete-user function in gos-admin-menu (#45902).
Extended selfcheck of gos-admin-menu to cover the availability of the internal OMP service (#41194).
Extension of gos-admin-menu with configuration option for MTU of the interfaces (#44953, #2014121910000059).
Bugfix for inactive overrides: Such will not anymore be shown by the Report Plugins (#45076, #2014122210000034).
Bugfixes that lower the CPU load under certain conditions (#45564, #45562, #44544).
Bugfix for the overrides checkbox for the powerfilter, so that no wrong jump to default powerfilter settings happens anymore (#44905).
Bugfix for the Reports view so that now also those reports are shown for which a user has proxy permissions (#44052).
Activated Release Change to GOS 3.1 for GSM ONE. (#46468).
Lowered the number of reverse-lookups of the GOS base system for NTP in order to lower the log noise in the network monitoring (#45933).
Bugfix for permission checks for objects in the trashcan (#44902).
Bugfix for individual timeout configuration of NVTs when executed on a slave system (#46297, #2014121110000019).
Bugfix that updates an internal TLS certificate. With an expired certificate it is not possible to log in to the web interface. This problem currently occurs only for GSM 600 (#46218).
Bugfix for the recovery of a userdata backup for model GSM 500 (#44474).
Bugfix for sensor upgrades, especially for Airgap. In case of problems please contact our Support with reference to ticket number 44535 (#44535, #44477, #44444, #2014082010000019).
Activated slave assignments: Slaves created by a administrator and made accessible to users will now appear in the users' selection lists for Slaves and can be used for scanning accordingly. The assignment of slaves currently still only works via direct permissions configuration (#44187, #2014112110000029).
Improvement of the behavior of the web interface in case autorefresh and Post requests are combined (#44362).
Bugfix about the NVT selection when using older, imported scan configurations where not always all NVTs were actually executed when scanning (#44446, #2014120310000016).
For userdata backups it is now possible to configure a backup server (SSH-based) and via gos-admin-menu the userdata backups can be transferred from/to the configured backup server (#43687, #2014110510000032).
Performance improvement for operations that retrieve lists of scan reports (#44348).
Bugfix for the automatic refresh in the web interface: After submitting a form, the refresh will not try to re-submit the form. This cause the interface to jump to another page (#43714).
Bugfix for missing graphs in the GXR report when sent via an email alert. The GXR/GSR reports where reworked regarding some other details, among these an improved timezone indication (#40211, #2014082110000026, #44275, #40028, #2014072410000022, #43853, #2014101410000035).
Improvement for starting scheduled scans so that these are started, possibly slightly delayed, even under high system load (#44024, #2014073110000063).
Bugfix for occasionally missing logo in the web interface (#43713).
Internal improvement to prevent wrong usage of feed synchronisation in the expert mode of GSM administration (#35126).
Bugfix that reduces the memory consumption of the scanner (#43581).
Urgent security-relevant bugfix about a attack vector for SQL injections. The attacker needs a user account for the GSM. (#44316, #44315, GBSA-2014-02).
Simplification of the internal processing for the management of Greenbone OS. Essentially the "Scheduling" phase is dropped for various routines and thus accelerates them considerably. The improved functions are: Sensor Trigger, GOS Upgrade, Feed Sync, GOS Sync, Flash-Image Sync, Airgap, any Backup and Restore (#43776, #42781, #42782, #43298, #43297, #43584, #43618, #43617).
Performance improvement for a Master-GSM that controls many sensors where the tasks intensively use automatic alerts (#41734, #43328, #43329, #2014073110000063).
The content of the "affected" information of a NVT is now also shown in the results details view and various Report Formats (#40460).
Internal improvement for the analysis of NVT bugs by adding more details into the respective log messages (#40418)
Improved online help about "Edit Tasks" regarding Alterable Tasks (#41189, #2014091810000031).
Bugfix for Selfcheck in GOS-Admin-menu where occasionally a freeze of the selfcheck occurred (#43813).
Bugfix regarding schedules that wrongly executed multiple times per day. This problem occurred when timezone changes (#43619, #2014110510000023).
Bugfix for Backup/Restore across GOS generations (#43622, #43681, #43715, #43681, #2014082010000019).
Extension of the Powerfilter, so that for some objects the presence of sub-objects can be considered. For example it is now possible to apply "schedule=" for task overview to filter for any tasks that do have a schedule associated (#39947, #2014081310000023).
Bugfix for timestamps about when a scan of a host finished when done via a scan sensor. Now the timestamp is immediately available when the scan of that host finished and not only when the entire scan finished (#32725, #2013102110000041).
Improved response times of web interface when used intensively in parallel (#42029).
The pre-configuration of the scan parameter "unscanned_closed_udp" was changed from "no" to "yes" for harmonization with the analog setting for tcp. This prevents some unnecessary timeouts during a scan (#31638).
Improved internal consistency checks regarding incomplete update downloads (#35948).
Slight performance improvement for Asset Management (#42062, #2014100810000011).
Extended user management of GOS-Admin-Menu: Now it is possible to set a new password for a web-admin also at this place (#31074, #2013080610000021).
Bugfix so that now the Powerfilter for NVTs includes the script tags (#43455).
A analysis of the database about some specific properties can now be executed via GOS-Admin-Menu (menu "Advanced") (#43686, #41096).
Bugfix for the problem that under some specific, non-reproducible conditions some NVTs where not executed for a given target (#43300).
In the web interface the task filter selection is now persistent. Choosing a filter there and returning later to task overview will activate that filter again automatically (#39676).
In the web interface the refresh setting is now persistent when changing the views (#39673, #2014073110000018)
Online help about roles was extended (#42033).
Improvement of the Airgap function for GSM 5300/6400 so that the USB Stick device sequence is not relevant anymore (#42021).
Internal consistency check for GOS prior version 2.0 now finally removed (#41152).
Minor internal improvement to drop false error messages in the boot log (only GSM 600) (#37059).
Changed appearance of CLI Admin shell prompt which now includes the hostname of the GSM (#24692).
Bugfixes for Airgap feature. In this context a new logic was implemented for this process that prevents various side effects (for example changing device enumeration (#26710, #42149, #42010).
Bugfix for GSM 600 and GSM 650 that removes a processor slow-down. The performance of these appliances should increase visibly (#42148).
Reduced size of GXR and GSR PDF reports (#31553).
Feed-Push and Upgrade functionality for sensors added to gos-admin-menu. This allows to manually start updating sensors for example in case the sensor was not reachable during automatic update (#21553, #33986, #2013122010000021 ).
Added switch in gos-admin-menu to change the graphical web interface. Available are the classic view and the extremely reduced German interface "IT-Schwachstellenampel" (ITS) (#37879).
Administrative interface: There is a new explicit setting "all" that makes all interfaces administrative interfaces. This is now treated identical to empty or missing setting (#41004).
Bugfix for sensor check in selfcheck: This check now behaves in the same way like the check in the Sensor-Management does (#40324).
Bugfix for selfcheck in sensor mode: Non-reachability of feed server is not complained about anymore (#37577, #2014051310000011).
Extended selfcheck with a warning about TLS certificates that will expire in near future (#39502, #2014072410000102).
Changed pre-configured MTA to mail.example.com to avoid confusion (#40741).
Bugfix that prevents the internal GOS cron processes trying to send local emails about log data to "postmaster" (#42013).
Security update for third party tools used by Greenbone OS. This includes fixes for the vulnerabilities described in CVE-2014-6271 (Shellshock), CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 in GNU Bash (#41575).
Bugfix for the migration of imported report formats with non-unique IDs (#40970).
Bugfix for the migration of schedules with missing time zones (#40737).
A bug which caused an internal error when attempting to empty the trashcan under certain circumstances has been fixed (#40358).
A bug which caused the "alterable" state to be displayed incorrectly in the web interface has been fixed (#40084, #2014081510000011).
The name of the task is now included in the PDF, LaTeX, HTML and TXT report formats (#25269).
A bug which caused start and end times to be displayed in an incorrect time zone when using slaves in different time zones under certain circumstances has been fixed (#39691, #2014072410000022).
A bug which caused the scan status to be displayed incorrectly as "-1 %" when scanning through a slave under certain circumstances has been fixed (#39679, #2014073110000063).
CPU usage on the master during slave scan has been reduced considerably, resulting in improved performance (#40120, #2014073110000063).
A bug which cause excessive logging under certain circumstances has been fixed (#40121).
The "clone" functionality is now more easily accessible for a number of objects (#39674, #2014073110000027).
Bugfix that prevents a migration failure during a release switch. Changes introduced with the GOS 3.0.23 caused a release switch from GOS 2.2 to GOS 3.0.23 to fail during user migration (#40159).
Bugfix regarding visibility of GXR PDF plugins in case several copies are used in parallel (#39058).
Bugfix for defect masterkeys on sensors so that such are now identified (#38958).
Bugfix for the redirection from port 80 to 443 for the case that another than the default network interface is used (#39762).
Bugfix about using the administrative interfaces regarding the web interface in case another than the default network interface is used (#34964).
Bugfix to remove some false internal log messages about SCAP and CERT databases (#39185).
Bugfix for the behaviour of the CLI command "addadmin". The user management via gos-admin-menu was not affected (#39227, #39245, #2014071510000067).
Some non-functional (empty) commands were removed from CLI Admin (#39472).
Removal of some since GOS 3.0 unneeded internal data files. Only in very few cases this will visibly lower disk storage consumption (#34966).
Bugfix that improves the redirection from port 80 to port 443 for some client applications. Standard browsers were not affected (#38612).
Minor bugfix to enable the internal log rotate for a log file (#37483).
Feedback button added to results: The details view of a result now offers a button to submit feedback about a scan result to the Greenbone support team (#38249).
Bugfix to remove internal temporary backup file while doing a user data backup (#39335).
The functionality "pause" for tasks was removed from the web interface. Paused tasks could block a significant amount of memory and stopped tasks can also be resumed (#39914).
Bugfix for the import of brute-force login lists within the scan configuration (#39471).
Bugfix to allow the multiple import of the very same report format plugins (#38016).
Changed the choice of refresh times: Instead of 10s/30s/60s it is now 30s/60s/2m/5m (#36561, #2014040710000024).
Bugfix about adding LDAP user accounts to user groups (#38459).
Bugfix about usage of filters for which read access was granted (#38787).
Minor bugfix about internal process handling when creating a tag (#39936).
The functionality "unfold filter" is now also available in the report view "summary" (#38783).
Internal extension of so that individual configuration of services is possible in case of very special needs (#37575, #39692, #2014051310000038).
IP addresses and hostnames in the report view do now link into the asset management (#39226, #2014071510000049).
Extension of the tooltips about hosts in the asset management to name the CPE (#39225, #2014071510000031).
Creating new LDAP users does not require to specify a (unused) password anymore (#31438, #2013082810000033).
Extension of gos-admin-menu with a hint that reboot is necessary after changes about the SSL certificate (#39503, #2014072410000111).
Increased number of possible IPs in host access field for user restrictions to 16,777,216 (#39405, #2014072110000046).
Improved LVM based backup functionality for GSM 6x0 (#37820).
The name of the task is now visible in the menu of the report view (#38782, #2014063010000021).
In CVSS vectors "AU" is now accepted for "Au" (#37710).
Bugfix that prevents a system freeze at boot time. Under certain conditions it can happen that a GOS 3.0.20 and GOS 3.0.21 will stop during boot process. The Greenbone Support team knows what to do in this case. In case you upgraded to 3.0.20 or 3.0.21 but have not rebooted the system, please first upgrade to 3.0.22 before doing so. (#39159).
Extended Alert type "verinice" with choice of the applied Report Report Format (#38995, #2014070710000037, #38996, #2014070710000046).
Bugfix regarding the extended SSL/TLS capabilities that were introduced with GOS 3.0.20. It ensures proper detection of SSL ports which did not happen in 3.0.20 (#38997).
Deactivated internal boot log because under certain conditions this caused problems regarding the console (#39007).
Bugfix regarding permissions of pre-configured roles: These can now not even more be changed with administrative rights (#38607).
Updated and extended SSL/TLS capabilities for both, the GOS services and the actual scanner. This also adds support for PFS (Perfect Forward Secrecy) (#38046, #33832).
Added support to configure TLS cipher priorities for OMP and HTTPS via gos-admin-menu (#36507, #38615).
Added support for SINA One Way Gateway to allow Feed updates across this gateway from an external GSM to an internal GSM. gos-admin-menu is extended with configuration for both sides, the update master and the update slave (#37854, #38047).
In order to allow updates of inhomogeneous GSM setups (for example 5300/600/100) in an internal network from a single external GSM, the GSM Midrange/Enterprise models are now enabled to hand over updates for a variety of GSM types (#38069).
In order to allow chained Master-Sensor setup (for example 5300>600>100) support was added configure a GSM to be Master and Sensor at the same time (#38048).
Bugfix that resolves database locking issues for Airgap updates that could occur under certain conditions (#38460).
Bugfix that adds transfer of CERT data for Airgap updates (#38049).
Minor bugfix about global-indicator icons for notes (#38722, 2014062610000011).
Bugfix that fixes the problem with multiple entries in the Host Access entry of a user configuration. Now all elements are accepted (#36137, #2014031910000031).
Allow scheduled tasks to be also startable manually (#28892, #2013040610000028).
Bugfix about triggering GSM 25V upgrades via Master GSMs (#38192).
Bugfix for the problem that entering the user/password management in gos-admin-menu sets sensor tasks to "stopped" (#38288).
Bugfix for an UTF-8 issue in ITG scan results (#37163, #2014042410000064).
Report Format Plugin "verinice ISM" is now a predefined one (#30425, #38708, #2013062610000013).
Added support for multiple email addresses for a email alert, rather than just a single one (#37652, #2014051410000036).
Minor bug fixes for rendering issues in some Chrome browsers (#35495).
Minor bugfix for some synchronisation log message cases (#38197).
Bugfix for restoring deleted Groups. Now the users are not lost (#38614).
Minor internal cleanup (removal of a left-over file) (#36423).
Bugfix to guarantee quick access to user and password management of gos-admin-menu. In some cases to took a considerable time open this menu (#38287).
Bugfix about cloning tasks with observers where permissions were dropped wrongly for the clone (#38213).
Bugfix to accelerate boot time which in some special cases took about 2 minutes and is now back to a few seconds (#38286).
Added check for expired certificate to selfcheck in gos-admin-menu (#35918).
Minor improvement about timezones in schedules (displaying and online help) (#38611, #38613).
Extension of gos-admin-menu to allow configuration of TLS Ciphers for OMP (#37763, #2014051910000018).
Updated guest tools for GSM 25V (#37566).
Bugfix for GSM25V regarding a defect boot menu (#38012).
Bugfix for the SCAP database to not ignore some specific CVEs in queries (#37236).
Fixed typo in gos-admin-menu in a path note ("2.1" vs. "3.0") (#37561).
Bugfix to disallow deleting of a Report Format Plugins via OMP or web interface in case it is still being used for an alert (#37485, #35960).
Bugfix for non-self-signed SSL certificates to allow also longer certificate chains (#37863, #2013120910000043).
Extension of sensor checks of master GSMs to validate SSL certificates of the sensors (#37414).
Bugfix to close a memory and CPU leakage that occurred when using Chrome (#37988).
Bugfix that solves the issue that some deleted Report Format Plugins are still shown as long as they are kept in the trashcan (#36509).
Bugfix to add newly imported and activated Report Format Plugins to respective drop-down lists (#37457).
Bugfix for login procedure of LDAP accounts regarding LDAP server TLS certificates so that now all LDAP accounts can login again (#37458).
Bugfix to take care for deleted user account also the configured group and role relationships are removed (#37439).
Bugfix to make the boot log visible via gos-admin-menu (#37600).
Bugfix to make permissions invisible on a GSM ONE that refer to functionalities that are not available for this GSM anyway (#34539).
Improved internal log mechanism so that also very long log messages are not truncated (#37476).
Improved error message when deleting a user account (#37451).
Bugfix for deleting of user accounts via gos-admin-menu (#37878).
Bugfix for Migration (ANALYZE) from GOS 2.2.0 to 3.0 (#37357).
Improvement that removed unneeded temporary files (kbs) (#37263).
Bugfix regarding encoding which prevented configuration of some NVTs (#37146, #2014042410000073).
Bugfix for Feed synchronization routines for master-sensor updates (#37240).
Bugfix for sensor check in gos-admin-menu (#37243).
Bugfix to prevent that individual timezone settings get lost (#37265).
Bugfix that takes care all permissions of roles User and Observer are preserved during a migration from GOS 2.2.0 to 3.0 (#37438).
Bugfix to avoid truncated long CPE names in report format GSR (#36508, #2014040410000011).
Bugfix for initial database creation (#37045).
Bugfix for consistent LCD content (#36544).
Improvement of LCD content (GOS version and IP address) (#36281).
Improvement for GSM ONE: If the initial web account is still missing, then a corresponding hint is given on the console (#36444).
Improvement for upgrades to be more tolerant upon problems that might occur during a data migration (#36546).
Bugfix to make the LDAP configuration dialog available (#35363).
Bugfix for the TLS settings of the OMP service (#36789).
Extension that will automatically create a self-signed certificate at first start of GOS (#36574).
Bugfix to allow the AD account names for authenticated proxies in gos-admin-menu (#36586).
Bugfix for the redirect from http to https of the web interface (#36762).
Bugfix for migration from GOS 2.2.0 (#36764, #36545).
The NVTs "Host Summary" and "CPE Inventory" have been disabled for all pre-installed scan configurations. These data are available in the other results sections anyway (#36104, #35927).
For GSM ONE the web address is now displayed directly on the console (#36316).
Switched internal logging of web service to SysLog (#36340).
Formatting improvements of various login messages of the internal administration level (#36201, #36317).
Bugfix for Report Format Plugin GSR which failed in some cases (#36282).
Bugfix that moves the DHCP log information in gos-admin-menu to the suitable section (#31287).
New: Quick-Task Wizard, available on the wizard page of tasks. For GSM ONE this dialog is reduced (no alerts) (#33889, #36424, #28196, #2013022810000017, #2013112510000014).
Restricted offer of TLS versions and ciphers of the web interfaces. Older browsers can not access the web interface any more (#35333).
The pre-selected Report Format Plugin for prognosis is now the simple PDF report (#26361).
Bugfix that removes unneeded temporary files of services that were removed since GOS 3.0 (#36357).
Extended scanner capabilities for TLS services (v1.1 und v1.2) (#36109).
Bugfix for the setting of results filter for alerts (#36094).
TLS ciphers settings of OMP adjusted to the same as for HTTPS (#34747).
Bugfix regarding the LCD display control (#36372).
Bugfix to have now an absolute path for the location header of the web interface. This improves the use with proxies (#9709).
Updated Report Format Plugins GXR and GSR to version 2.0.1 (#35767).
Reduced internal log information of Greenbone OS (#35710).
Improved support for hypervisor for GSM ONE (#20497).
Bugfix for the entry of Alive-Test method in the web interface (#36165).
2013-06-07: Greenbone OS 2.2.0
Latest patch level: 2.2.0-36 (2015-02-11)
The items marked with (*) will change the default behaviour.
Tasks: Now with new object management
Tasks are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.
Overrides: Now with new object management
Overrides are now handled via the new object management and therefore gain access to the power filter and to the trashcan. Functionalities Clone and Export are also added.
Furthermore Overrides can now be directly created even without necessity to go via a Task.
All user interfaces where lists of Overrides were shown, like for NVT Details, were changed so that the lists are replaced by a link into the Overrides management with a appropriate context filter.
SecInfo Management: CVE data with new object management
The CVE Lookup is replaced by the new object management. This makes interactive search, the Powerfilter and many other functions available for CVE data. The Greenbone SecInfo CVE database contains the official CVE database of MITRE with over 50,000 CVEs.
SecInfo Management: OVAL database
New element of the SecInfo Management are the OVAL data. OVAL stands for Open Vulnerability Assessment Language and is a formal description for vulnerability evaluation. These information help with the analysis and are cross-referenced via CVE. The Greenbone SecInfo OVAL database contains the official OVAL Repository of MITRE with over 14,000 OVAL Definitions.
SecInfo Management: DFN-CERT Database
A new class in the SecInfo Management are the security alerts issued by the German DFN-CERT, the CERT of the German research network. These security alerts are published in German language and are referenced into scan result via CVE identifiers.
Port Lists: Now with new object management
Port Lists are now handled via the new object management and therefore gain access to the power filter and to the functionality Clone.
Credentials: Now with new object management
Credentials are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export. Passwords will of course not be present in exported data.
Schedules: Now with new object management
Schedules are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.
Scan Configs: Now with new object management
Scan Configs are now handled via the new object management and therefore gain access to the power filter and to the functionality Clone.
Alerts: Now with new object management
Alerts are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.
Report Formats: Now with new object management
Report Formats are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.
Slaves: Now with new object management
Slaves are now handled via the new object management and therefore gain access to the power filter and to the functionalities Clone and Export.
Powerfilter: Syntax extension to select backward from current date for a fixed time span in timestamp columns. For example, "modified>-7d" will select all objects modified in the past 7 days.
Powerfilter: Syntax extension to select exact matches in multiple fields. For example, "=192.168.12.1" will select all objects where any of the fields contains exactly this IP.
SCAP Feed-Update: This function is now also available via the Web-Interface in the Administration area. However, the updates are still done automatically in the background. A manual start is rarely needed in special situations.
Personal default powerfilters: In "My Settings" it is now possible to set a preferred Powerfilter for each object class. If you open the overview of the object class, for example the Task overview, automatically your personal default Powerfilter will be used to apply your preferred sorting and filtering.
Agents: Now with new object management
Patch level GOS 2.2.0:
2.2.0-36 (2015-02-11): Bugfix about the NVT selection when using older, imported scan configurations where not always all NVTs were actually executed when scanning (#44536, #2014120310000016).
Bugfix for individual timeout configuration of NVTs when executed on a slave system (#46298, #2014121110000019).
Solution type information is now displayed in the NVT details dialog if provided by NVTs (#44470).
Support for resuming slave scans has been improved (#37860).
Improved error message for alerts that failed to execute due to missing report plugins (#38801, #2014070210000037).
2.2.0-35 (2014-12-05): Bugfix for a rare error where the description of a NVT was truncated (#38502).
Bugfix so that now the Powerfilter for NVTs includes the script tags (#43911).
Internal improvement to prevent wrong usage of feed synchronisation in the expert mode of GSM administration (#35125).
Bugfix for the problem that under some specific, non-reproducable conditions some NVTs where not executed for a given target (#43910).
2.2.0-34 (2014-11-29): Urgent security-relevant bugfix about a attack vector for SQL injections. The attacker needs a user account for the GSM. (#44317, GBSA-2014-02).
2.2.0-33 (2014-10-24): SSLv3 was removed from the list of available encryption protocols for the web interface as well as for OMP. Outdated client tools might not be able anymore to establish a connection (#42518, #42519).
Bugfix to remove internal temporary backup file while doing a user data backup (#39334).
Bugfix about missing Alert entries for Task creation in case a individual powerfilter was configured (#39333).
In CVSS vectors "AU" is now accepted for "Au" (#40066).
Minor bugfix to enable the internal log rotate for a log file (#37484).
Changed pre-configured MTA to mail.example.com to avoid confusion (#42528).
Bugfix that prevents the internal GOS cron processes trying to send local emails about log data to "postmaster" (#42529).
2.2.0-32 (2014-09-26): Security update for third party tools used by Greenbone OS. This includes fixes for the vulnerabilities described in CVE-2014-6271 (Shellshock), CVE-2014-7169, CVE-2014-7186 and CVE-2014-7187 in GNU Bash (#41574).
2.2.0-31 (2014-07-19): Bugfix that fixes the problem with multiple entries in the Host Access entry of a user configuration. Now all elements are accepted (#38736, #2014031910000031).
Bugfix that solves a UTF-8 problem for Overrides and Trashcan. Under certain conditions it happened that the object lists where not accessible (#38709, #2014061010000032).
Allow scheduled tasks to be also startable manually (#38516, #2013040610000028).
Bugfix regarding timestamps of scan start: For stopped and later resumed scan tasks, the start time now remains to be the time of the intial start (#32949, #2013110410000027).
Availablity for upgrade to GOS 3.0 for GSM 6400/5300/5x0/25/25V. Please pay attention to the newsletter about this major upgrade or contact the Greenbone Support (#38990).
2.2.0-30 (2014-05-24): Bugfix for the SCAP database to not ignore some specific CVEs in queries (#37235).
Bugfix for GSM25V to allow Beta-upgrade to GOS 3.0 (#37599).
Bugfix for internal offline-update of SCAP database (#37880).
Bugfix regarding VM guest tools forr GSM 25V (#37565).
Release GSM 100 for GOS 3.0 (#37563).
Fixed typo in gos-admin-menu in a path note ("2.1" vs. "2.2") (#37562).
Bugfix for non-self-signed SSL certificates to allow also longer certificate chains (37862#).
Added warning note about remaining free disk space when starting upgrade to GOS 3.0 (#37654).
2.2.0-29 (2014-05-10): Extension of sensor checks of master GSMs to validate SSL certificates of the sensors (#37339).
Removal of uneeded elements of the boot process, thus also lowering volume of log messages (#37242).
Bugfixes and improvements for the automatic sensor upgrade via sensor master for the upgrade from GOS 2.2.0 to 3.0 (#37239).
Removal of unneeded files (hypervisor guest tools) for GSM ONE (#35931).
Release for migration to GOS 3.0 for GSM ONE. (#37195).
Bugfix that ensures to keep the setting "Apply Overrides" also after editing a task (#36136, #2014032010000028 ).
2.2.0-28 (2014-04-12): Extended capabilities of the scanner for testing special TLS services (#36302, #36167).
Bugfix that now allows to enter AD accounts for authenticated proxies in gos-admin-menu (#36425, #2014040110000026).
Bugfix that fixes the visibility of tasks of deleted users (#33831, #2013121310000026).
Bugfix that makes the scanner fix defect cache on its own (#35258).
Improvement that helps to take care if mainenance reboots are necessary (#36373).
Bugfix to solve the problem that under some certain conditions the cloning of a task create an empty container (#34636).
Bugfix to remove some possibly left-over cache files (#36594).
Bugfix tp reduce the internal use of NTP (#35777).
Slight speed-up of boot time for large databases (#36478).
2.2.0-27 (2014-03-18): Bugfix for upgrade routine to GOS 3.0 (#35915).
2.2.0-26 (2014-03-15): Due to much stricter SSL certificate checks in GOS 3.0 even for certificates only used internally, the validity is now checked prior to a release switch and you may get asked to update a certificate (#35353).
Added for support and debug purposes: Internal logging of root commands (#31144, #35378).
Released GOS 3.0 BETA-Tests for GSM 100 (#35915).
2.2.0-25 (2014-02-14): Bugfix to re-enable the opportunity to create a new target. With the changes introduced in patch level 24 regarding UDP ports a regression occurred that is now solved. (#35257).
2.2.0-24 (2014-02-12): Improved pre-installed Report Format Plugins to consider subsections of NVTs as recently introduced via Greenbone Security Feed (explicit sections for impact, insight, etc.) (#34232).
Bugfix for scans where UDP ports are scanned while the respective TCP ports were not in the covered by the same Port List. This could have led to false negatives for some NVTs. The pre-configured port lists were not affected (#32366).
In simple PDF Report Format Plugin, column "Most Severe Result(s)" was removed from the table as it was redundant and sometimes caused exceeding of the page width (#34788, #2014012710000019).
Task details view now automatically considers the overrides switch (#35054, #2014020610000048).
Tiny typo in GOS-Admin-Menu (mailhub) (#33890).
Removed wrongly issued warning message when setting a sensor in GOS-Admin-CLI (#31062, #2013080210000046).
Added internal lint package for NVTs to accelerate internal NVT QA process (#34111).
Task status "Delete Requested" for email alerts is removed from web interface as it is of no practical value there (#34233).
The password in the proxy credentials dialog of GOS-Admin-Menu is not printed on the screen anymore when entered in the dialog (#32707).
Removed RC4 ciphers from offered ciphers of the HTTPS service of GSM (#34746).
Internal improvements to prepare migration to GOS 3.0 (#34720, #34658, #35055).
2.2.0-23 (2013-12-21): Bugfix to consider proxy settings during selfcheck in gos-admin-menu (#25028).
2.2.0-22 (2013-12-19): Bugfix to deactivate menu item "Copy Userdata to USB" in gos-admin-menu while a backup is already in progress. (#30978, #2013080210000019).
Added internal support of GSM sub-types (#32942).
Bugfix to consider also CERT Feed via feed sync settings of gos-admin-menu (#32943).
Improvement of performance of sensor synchronisation (#32944).
Dropped static DHCP client-identifier which avoids trouble of multiple GSM handled by the same DHCP servers (#22577).
Bugfix to avoid empty CVSS base values for some NVTs (#33365).
Dropped internal fe80::dead:beef address to avoid log noise (#30977).
Bugfix to transfer also ESXi credentials to slaves (#33455, #2013120210000056).
Improved verinice connector regarding document uploads to verinice.PRO (#31798).
Bugfix for graph "CVSS Distribution for Vulnerabilities" in GXR/GSR report formats that showed a wrong value for "High" in certain cases (#33371, #2013112710000038).
2.2.0-21 (2013-11-09): Bugfix: A security problem is fixed in the OAP protocol that allowed to bypass the authentication procedure. However, due to the Greenbone OS security architecture, the privileges required to exploit this issue on any GSM would require higher privileges than gained through the exploit. Though no practical security problem arises, it is fixed for convenience (#32989).
2.2.0-20 (2013-11-09): Security bugfix: A security problem is fixed in the OMP protocol that allowed to bypass the OMP authentication procedure. The attack vector is remotely available in case public OMP is enabled. In case of successful attack, the attacker gains partial rights to execute OMP commands. The bypass authentication is, however, incomplete and several OMP commands will fail to execute properly (#32985, GBSA-2013-01).
2.2.0-19 (2013-10-29): Add timezone entry in dialog "New Schedule" (#30981, 2013040810000061).
Improve error handling for situations where single internal services are taken down. This reduces system load if such cases happen (#31966).
Internal improvements to prepare direct upgrade opportunity from GOS 2.0 to GOS 2.2 (#32221).
Improved consistency of the overrides setting (#32222, #31567, 2013100210000087, 2013090510000021).
Strip last part of subnet IP in built-in NBE Report Format Plugin for compatibility/convenience (#32519).
Bugfix to allow GSM 5x0 to store the public master key of another master GSM (#32816, 2013102410000036).
Enable sensor mode option for GSM 100 and GSM 5x0 for GSM 5300/6400 as Sensor Master (#32860).
2.2.0-18 (2013-10-12): Bugfix to re-enable OMP interface if it was enabled before. The public OMP interface accidentally was shut-down with patch level 17 on some GSM systems. This especially affects scan sensors. However, managed sensors are automatically re-enabled once the master unit is updated to patch level 18. (#32355).
2.2.0-17 (2013-09-28): Extended built-in NBE report format plugin to add cross-references in result texts (#31285, 2013080910000042).
Bugfix to get authenticated tests using autogenerated PKCS#8 SSH credentials to work (#31486, #2013082910000013).
Added feature to allow creating notes and overrides directly from the NVT details dialog (#32021, #2013092410000039).
Bugfix to reduce number of unneeded log messages (#32070).
Bugfix for cases where it happened that a new-style NVT reported an empty text when detecting the vulnerability. Old results with empty result text will be extended with a standard text. The scan result as such was always correct (#32034, #32071, #2013092510000019).
2.2.0-16 (2013-09-20): Bugfix for upgrade of sensors with outdated Feed. (#31911).
2.2.0-15 (2013-09-18): Bugfix to ensure to have special configurations of OMP service stay active over migration from 2.1 to 2.2 (#31725).
Bugfix to have the Sensor synchronization consider the release version (#31722).
Added the "autoslavesync" option to gos-admin-menu under menu "Sensors" for GSMs that are capable of being Sensor Masters (#31723).
Added "feedsync" and "feedfrommaster" option to gos-admin-menu under menu "Feed Management" (#31797).
2.2.0-14 (2013-08-31): Bugfix to avoid warning messages "cleanup_manage_process" in the log file (#31288).
Bugfix for a internal error when trying to change the password (#31007).
Bugfix for re-login problems after changing the password (#31006).
Added "Restore Userdata Backup" option to gos-admin-menu for GSM 100 (#31359).
Bugfix to avoid a wrong error log file message on "database backup failed". The backup was created correctly (#31286).
Improved userdata restore procedure with an immediate database rebuild (#31361).
Extended selfcheck with warning in case a patch-level update has not yet been applied (#31414).
Minor corrections of internal system documentation (#31437).
Bugfix for the tooltip on NVT names in the NVT overview list of SecInfo Management (#31479).
Reduced internal log level from 128 to 127 to avoid some debug logging in the regular logging (#31481).
2.2.0-13 (2013-08-22): Affects only GSM 500 or beyond and only when used with Scan Sensors that are configured for automatic update via Master-GSM: Some systems were shipped with a pre-generated masterkey for usage with scan sensors. If such a key is found during update to this patch level, it will be deleted and a new one created with suitable identifier. This makes it urgently necessary to update the key manually on each scan sensor via the command "masterkeydownload". Whether a GSM is affected can be checked via the extended self-check of GOS-Admin-Menu (#31081).
Bugfix for permission problem at restore of a userdata backup (#30903).
Extended allowed characters in comment fields by round brackets (#30426, #2013062610000022).
Bugfix to immediately delete single results of a finally removed report. At this occasion the database is searched for other orphaned results and will remove these as well (#30960).
Bugfix for OMP: If get_overrides is called with details=1, now the threat-element will be included in the response according to API documentation (#30968).
Log information on execution of OMP commands now contains also the name of the user who executed the command (#30320, #2013062110000022).
Bugfix for sorting NVTs by CVSS. Now the sorting takes place on numerical basis instead of string basis (#30343).
The userdata backup now includes the "private" areas of NVT, SCAP and CERT (#31083).
Autogenerated credential installer: Now, space characters are possible in the name (#31063, #2013080610000057).
Bugfix for Reports with Overrides: False Positives were included in a report even if "No overrides" was selected. This has been fixed (#31126, #2013080910000033).
GOS-Admin-Menu will now issue a warning in case the free disk space is low. The test for free disk space is now also part of the Selfcheck (#31143).
Extension of Selfcheck in GOS-Admin-Menu to check whether scan sensors can automatically be updated (#31148).
It is now ensured that during a migration from GOS 2.1 to GOS 2.2 there is sufficient entropy for the creation of the credential encryption key. This reduces the migration duration significantly (#30988, #2013080210000037).
Bugfix for web interface: Special characters in the URL are no ignored. Before it was possible to loose the session token when this happened and a user had to authenticate again (#31164).
2.2.0-12 (2013-07-27): Performance improvement for OMP command "get_nvts" (#30754).
Extended allowed characters in comment fields by round brackets (#30426, #2013062610000022).
Bugfix for migration from GOS 2.1 to GOS 2.2 regarding the encryption of credential passwords (#30880).
Bugfix for GSM 25/100 for the CLI Admin command "show usb" (#30898).
2.2.0-11 (2013-07-17): Bugfix for creation of a new filter with an empty filter directive (#30220).
Bugfix to display active state of Report Format Plugins correctly for newly imported plugins (#30164).
Bugfix for creation of overrides (#30252).
Bugfix fpr OMP calls for special Asset Reports (#30301, #2013061210000012).
Bugfix for the CVSS Calculator that now can interpret all abbreviations (#30253).
Bugfix for GOS-Admin-Menu that makes the userdata backup visible again for GSM 100 (#29482).
Bugfix for the creation of special Notes and Overrides (#30376, #30379, #2013062410000017).
Bugfix for XML escaping in URL references in NVT meta data (#30389, #2013062510000015).
Bugfix that removes a wrong error message that could occur during Feed updates. (#30596).
Bugfix for GOS-Admin-Menu so that for GSM 25V it is allowed to configure 4 network interfaces (#30704).
2.2.0-10 (2013-06-19): Disallow invalid port numbers when editing a Note or Override (#29905).
Bugfix for auto-credential creation (#30161, #2013061310000074).
In Results View, extended text search to new-style NVTs with their extended description sections (#30042).
Bugfix for OMP interface which was not responding (#30119, #30162, #2013061210000012).
Improved performance of Task Details page (#28828, #2013040310000015).
Fixed bug for displaying certain DFN-CERT entries. Now the description is displayed also when no CVEs are referenced (#30039).
Updates of built-in Report Format Plugins GXR and GSR (#29984).
Improved automatic internal recovery from malformed database situations (#29964).
Bugfix for internal flash-upgrade mechanism to allow for future upgrades (#30118).
2.2.0-9 (2013-06-07): Last release of Beta phase. First release of 2.2.0.