Both GOS 21.04.2 and GOS 20.08.10 includes several bug fixes. In total GOS 21.04.2 covers 27 improvements and GOS 20.08.10 covers 22 improvements. For a complete list of changes, see the Roadmap & Lifecycle page.
With GOS 21.04.2 and GOS 20.08.10, Password security was improved: for any GVM user who logs in to the web interface or via the GMP API, and for any GVM user for whom the password is changed, the password hash is updated with the secure SHA-512 algorithm. Newly created users will always use the SHA-512 algorithm.
Impact: if an attacker was able to access the database of a GSM, they could decrypt the GVM user passwords via brute-force attacks. Note that to access the GSM database, an attacker would either have to log in as the GOS administrative user, or decrypt a GOS remote backup or beaming image. GOS remote backups and beaming images are encrypted separately using secure AES-256 encryption. The GOS administrative user is not affected by MD5 password hashing, and any GVM credential passwords are also not affected by MD5 password hashing. There is currently no known way to exploit this vulnerability.
Nevertheless, we recommend all users to update as soon as possible!