2017-09-25 18:55 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0003626Kali Linux[All Projects] Kali Package Bugpublic2016-10-04 07:37
Reporterbusterbcook 
Assigned Tosbrun 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
Product Version2016.2 
Target VersionFixed in Version2017.1 
Summary0003626: metasploit-framework package does not depend strongly enough on a ruby version
DescriptionThere is a trap that users get into that breaks people using 'msfupdate' to upgrade metasploit. If you just upgrade the 'metasploit-framework' package, that latest version of ruby is not installed. Instead, you end up with whatever version of ruby came with the system
Steps To ReproduceInstall the pre-build Kali 2016.1 VM (as of this filing, 2016.2 VMs are not available)
Run 'msfupdate'
Run 'msfconsole'

What ends up happening is ruby 2.2.4 remains the system Ruby interpreter, but the 2.3.1 gems are packaged with the latest Metasploit-framework package. This causes msfconsole to not have the correct gem versions to match the system interpreter.

I think the 'ruby' dependency needs to be specifically on the latest ruby package. I see libruby is more specific, but that does not seem sufficient.
Additional InformationAlternate fixes could include:

Changing 'msfupdate' to inform the user he should run 'dist-upgrade' when running on Kali instead.

Changing 'msfupdate' to literally run 'apt-get dist-upgrade', or 'apt-get install metasploit-framework ruby' so everything is updated

Removing 'msfupdate' since it doesn't really do anything that can't be done with the system package tools.
Attached Files

-Relationships
+Relationships

-Notes

~0005995

rhertzog (administrator)

I think dropping msfupdate is the right approach (or changing it into a no-op telling the user to run a system upgrade with "apt update && apt install metasploit-framework").

~0006023

sbrun (manager)

We kept msfupdate as it uses apt when /usr/share/metasploit-framework/.apt exists (it's the case when metasploit is installed via apt in Kali).
We added a stronger dependency on ruby version in new metasploit version 4.12.29-0kali1
+Notes

-Issue History
Date Modified Username Field Change
2016-09-24 15:36 busterbcook New Issue
2016-09-26 13:45 rhertzog Assigned To => sbrun
2016-09-26 13:45 rhertzog Status new => assigned
2016-09-26 13:47 rhertzog Note Added: 0005995
2016-10-04 07:37 sbrun Note Added: 0006023
2016-10-04 07:37 sbrun Status assigned => resolved
2016-10-04 07:37 sbrun Resolution open => fixed
2016-10-04 07:37 sbrun Fixed in Version => 2017.1
+Issue History