From ${URL} : > For OpenVAS Manager, this is a security release addressing a serious > security bug and it is highly recommended to update any installation of > OpenVAS Manager 3.0 and 4.0 with the corresponding release. > > A software bug in OpenVAS Manager allowed an attacker to bypass the OMP > authentication procedure. The attack vector was remotely available in > case OpenVAS Manager was listening on a public network interface. In > case of successful attack, the attacker gained partial rights to execute > OMP commands. The bypass authentication was, however, incomplete and > several OMP commands failed to execute properly. @maintainer(s): since the package has never been marked as stable, we don't need to stabilize it. Please remove the affected versions from the tree.
Bumped. Old versions can be removed in a few days if no issues pop up.
It has been a little more then a month if there are no issues maintainer(s), please drop the vulnerable version.
Vulnerable versions dropped. Closing.
CVE-2013-6765 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-6765): OpenVAS Manager 3.0 before 3.0.7 and 4.0 before 4.0.4 allows remote attackers to bypass the OMP authentication restrictions and execute OMP commands via a crafted OMP request for version information, which causes the state to be set to CLIENT_AUTHENTIC, as demonstrated by the omp_xml_handle_end_element function in omp.c.
