I got this mail today: """ Hello, The OpenVAS developers have just released two important security releases for the Open Vulnerability Assessment System release series 6 and 7 (OpenVAS-6 and OpenVAS-7). The releases are: - OpenVAS Manager 4.0.6 - OpenVAS Manager 5.0.7 We highly recommend to update your OpenVAS installation to the versions listed above immediately. It has been identified that OpenVAS Manager is vulnerable to sql injections due to a improper handling of the timezone parameter in modify_schedule OMP command. It has been identified that this vulnerability may allow read-access via sql for authorized user account which have permission to modify schedule objects. For details and current information on this vulnerability please refer to the following page on the OpenVAS website: http://www.openvas.org/OVSA20141128.html The source tarballs for the releases are available for download from the OpenVAS website at: https://wald.intevation.org/frs/?group_id=29 This page contains signatures and checksums for the source tarballs as well. You can find links to the latest source tarballs for all currently maintained releases here: http://openvas.org/install-source.html Binary packages for major GNU/Linux distributions by third parties are expected to follow soon. """ Don't know whether there is a CVE, but I will try to look into the bump this weekend.
+*openvas-manager-6.0_beta4 (01 Dec 2014) +*openvas-manager-5.0.7 (01 Dec 2014) + + 01 Dec 2014; Justin Lecher <jlec@gentoo.org> -openvas-manager-4.0.4.ebuild, + -openvas-manager-5.0.4-r2.ebuild, -openvas-manager-5.0.5.ebuild, + +openvas-manager-5.0.7.ebuild, +openvas-manager-6.0_beta4.ebuild: + Version Bump; drop old vulnerable versions, #531094 +
Thank you for the report, fix and cleanup. Non-stable package, closing noglsa
CVE-2014-9220 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-9220): SQL injection vulnerability in OpenVAS Manager before 4.0.6 and 5.x before 5.0.7 allows remote attackers to execute arbitrary SQL commands via the timezone parameter in a modify_schedule OMP command.