5-6-2019 - v2.52 Varna release

Hello! It is the first Seccubus release made by Glanc team. Mostly bug fixes.

Differences with 2.50

Enhancements

• Integration tests (testssl.sh and ssllabs) now only run when commits are merged into master
• Switched from mysql-server to mariadb-server as a dependancy on Debian based systems
• Online version check is now served from the main seccubus.com website

Bug Fixes

• #678 - Works on Mojolicious 8 again
• #680 - RPMs are now signed again
• #685 - Test 54 did not initialize DB before test start
• #686 - New key staplingRevocationStatus added to ssllabs scanner
• #688 - RPM now requires openssl so fresh installs on EL listen on https too

5-11-2018 - v2.50 - Seccubus Alpine

This release brings new Alpine based docker containers and fixes a compatibility issue with MySQL/MariaDB version 8 and above.

Differences with 2.48

Enhancements

• Seccubus containers are now built based on Alpine
• Minimal specialized docker containers available for front end, api, front end+api, perl and cron

Bug Fixes

• Seccubus rpm's are now also being built for Fedora version 27 and 28
• RPMs for Fedora version 25 depricated
• Fixed building of supporting Centos v7 rpms
• #585 - Added default credentials to the readme file
• #660 - Sudo added to docker images
• #655 - Shell set to /bin/bash for user seccubus
• #662 - Fixing documentation typos
• #673 - PERL5LIB set to /opt/seccubus for seccubus user via debian package

9-5-2018 - v2.48 - Tenable.io compatibility and more

This release is fully compatible with the Tenable.io vulnerability management platform.

Differences with 2.46

Enhancements

• Seccubus now support Tenable.io as a scanning platform
• Added parsing of the ROBOT (bleichenbacher) attack to the SSLlabs scanner
• Added a dev environment example config
• Increased the size of the scannerparam field in the database

Bug Fixes

• #635 - Hypnotoad path was set incorrectly in systemd startup script on CentOS 7
• #642 - Updated readme to address how to run a scan on a running container
• Fixed an error in the Docker examples in README.md
• Added zip to the docker image because it is needed for import/export

v2.46 - RedHat 7 / Centos 7 packages

14-12-2017 - v2.46 - RedHat 7 / Centos 7 packages

This release adds RPM support for RedHat 7 and CentOS 7. Because Mojolicious and some of its dependancies were not available
as RPM on any of the standard repos for el7 we are also buildign these RPMs as part of our el7 build street now and are
pushing these packages to our packagecloud.io repository. This makes tweaks like this one by @Ar0xA unneccasary.

Enhancements

• Added support for RedHat 7 / CentOS 7 RPM packages. With the extra needed packages being added to packagecloud.io

Bug Fixes

• #588 - Fix Nmap Plugin ID leak (Thanks @alirezakv)
• #589 - Fix OpenVAS scan execution bug with only 1 target defined (Thanks @alirezakv)
• #603 - Nessus scan fails when pdf files cannot be exported (Thanks @Ar0xA)
• #615 - Docker: when the database was on the data volume the database failed to start
• #617 - Nikto scanner gives unintended error output
• Theodoor Scholte fixed some typos in the scanner scripts (Thanks!)
• Streamlined CircleCI unit testing

You can download the .deb Debian package and RPMs for Redhat / Centos 7 and Fedora via https://packagecloud.io/seccubus/releases

v2.44 - PackageCloud release

This release clean up technical debt. Package building has been moved from OpenSuse Build Services to CicleCI
and packages now automatically are uploade to our PackageCloud repositories.
Here you will find two repositories:

• Latest - Follows the latest code that gets merged into the master branch
• Releases - Follows the regular releases

You can configure these repositories on your operating system to include Seccubus upgrades in your regular package updates.

Enhancements

• #597 - do-scan and import ivil now log to syslog
• #605 - Container scan command allows scans to only starts on a certain weekday
• Fedora, Ubuntu and Debian package building has been moved to CircleCI
• Packages are automatically uploaded to packagecloud.io

Bug Fixes

• #593 - Fixed incorrect parsing of the values for poodleTls finding in SSLlabs.
• #595 - Fixed incorrect parsing of the values for Ticketbleed finding in SSLlabs.

v2.42 - Kali, Certificate validation and State Engine

Three major improvements in this release:

• It fixes a big issue with the validation of SSL certificates. Certificate validation was cot correctly turned off in the Nessus scanner when an internal scanner is used
• Debian packages now work on Debian, Ubuntu and Kali
• The state engine still had a bug when findings needed to recover from the Gone status

Enhancements

• Unit testing moved from Circle CI v1.0 to CircleCI v2.0 to increase testing speed
• Now also building .deb file on Circle CI and testing them against debian v8 and v9, Ubuntu and Kali Linux

Bug Fixes

• #580 - --cdn option did not add IPs to finding if findings were not consitent across endpoints
• #572 - Issues with disabling SSL verification in Nessus
• #571 - @shoekstra fixed: testssl scan fails on docker because hexdump is not installed
• #563 - Fixed an issue with picking the wrong color for notes (Severity 4)
• #533 - Installation of .deb package on Kali failed (Thanks @rhertzog)
• #509 - Fixed a bug in the state engine, causing incorrect recovery from gone when an issue was previously closed
• Fixed an issue where duplicate asset_hosts were created on certain platforms (e.g. docker)
• Fixed an issue in how filters were composed if
• Removed debug output from entrypoint.sh
• Fixed git complaining about unrelated histories

v2.40 - Fixes and improvements

This release mainly fixes installation issues on Debian and issue in docker that are due to the PERL5LIB path
that doesn't include the current directory anymore.
It also fixes the issue where people were unable to connect to a Nessus instance with a self signed certificate
that was trigged by altered behaviour of a perl library.
I've also fixed and tweaked the user interface a bit.

Enhancements

• #539 - Status tab will become the default instead of the login tab if there is a config issue

Bug Fixes

• #499 - Status change buttons in findings grid not working
• #529 - No all buttons were working correctly when working with linked issues
• #536 - Seccubus did not install on debian because openssl passphrase was too short (also effected docker container)
• #534 - Fixed an error that prevented connections to a Nessus instance with a self signed certificate on certain OSes
• #542 - Docker broken
• #548 - Notifications editor did not work correctly
• #549 - Deleting notifications did not work correctly
• #559 - PERL5LIB path was not set in cron container
• #563 - Removed some dedug output

v2.38 - Various fixes and improvements

2-8-2017 - v2.38 - Various fixes and improvements

We've fixed various bug and implemented some enhancements in this version.

Enhancements

• #421 - Implemented a scoring system for SSLlabs findings
• #464 - Scan objects in Nessus are now reused in stead of created from scratch
• #500 - Added --cdn switch to testssl.sh too
• #504 - Changed container crontab shell for sh to bash
• #506 - Allow cron email to be sent externally
• #512 - New ssllabs finding httpForwarding
• #522 - You can now configure which formats get exported from nessus

Bug Fixes

• #490 - --cdn switch doesn't work as expected
• #491 - Help message of load_ivil didn't align nicely
• #492 - Finding history wasn't showing in the GUI
• #494 - Prototype mismatch warning in Nessus scanner
• #502 - Incorrect path set when using CRON in a container
• #507 - It is not longer possible to add duplicate users
• #522 - Nessus scans now get correctly recycled or created

TestSSL.sh release

This release has been in the making for a long time. In fact the first pull
request for it's main feature was back in June 2016 by our friend and then
colleague Glenn ten Cate.

This release marks the integration of Dirk Wetter's excellent tool testssl.sh
into Seccubus. With testssl.sh you can get a detailed overview of how well
your TLS enabled service is set up. Not just for websites, but for any TCP
service, even those that use STARTTLS.

In addition we introduced the --cdn switch for ssllabs, to reduce noise for
CDN enabled sites, we the ability to dynamically create users via JIT
provisionsing and we added CSRF protection for enhanced security.

To boost future code quality, Perl::Critic testing has been integrated in the
unit testing process.

Besides that we squased some bugs, five of which got introduced in the previous release :(

Enhancements

#302 - Testssl.sh support for Seccubus
#401 - JIT provisioning of users
#442 - Add --cdn option to ssllabs

• Perl Critic is now part of unit testing. All critique was handled

Bug Fixes

• #132 - We have CSRF protection now. Non-get requests should have content-type application/json.
• #461 - Update button on finding edit screen isn't working properly
• #474 - Some typo/style fixes by Jericho (attrition.org)
• #478 - Conralive should check if cron isn't ignored
• #480 - Editing/showing notifications broken
• #483 - add_user broken
• #484 - Failure to update 1+n scan configuration in Manage Scans (And all other update funtions)

v2.34 - Backend rewritten in Mojolicious

The Seccubus backend has been REST-ish ever since release v2.0. This web backend was implemented
via Perl CGI scripts (yes, using CGI.pm). Needless to say something needed to change.

This backend rewrite has been in the making for some time now and we are finally ready to release
it into the wild.

What are the major changes?

• Backend rewritten in Mojolicious
• Backend API is now REST compliant and located at /api
• There is no need to run an external webserver for Seccubus, it is built into Mojolicious
• Seccubus now has built in user authentication (Default admin password is 'GiveMeVulns!')
• Fixed a lot off old issues
• Unfortunately there is no solid Mojolicious v6/v7 rpms for RedHat/Centos, so we can no longer provide RPMs for those operating systems

Enhancements

• #411 - Ported the backend to Mojolicious and pure REST
• #448 - Allow import and export utility to read config from specific file

Bug Fixes

• Fixed a weird sorting bug when using Chrome
• #138 - Can't locate SeccubusV2.pm in @inc (you may need to install the SeccubusV2 module)
• #143 - Make RPM so that nginx is supported too
• #171 - column formatting in custom SQL is off
• #190 - XSS in custom SQL query
• #193 - RFE: please add a logout button for additional security
• #263 - SeccubusHelpers.pm contains two unused functions
• #363 - API calls for asset use workspace iso of workspaceId which is the standard
• #384 - Missing SMTP server config should be warning, not error
• #396 - ConfigTest should return non 200 if config is not ok
• #417 - Docker container is not https-enabled by default
• #418 - Docker images lacks proper data management
• #430 - Set correct paths for perl and nikto so that do-scan and nikto can now be run by any user
• #445 - RPM errors
• #457 - Mine attachment not sent correctly
• #465 - JSON::false returns "false" on certain platforms
• #466 - /api/version should not be an authenticated call