Paho-mqtt 2.0.0 breaking changes for ospd-openvas and notus-scanner

Just wasted a lot of time debugging the breaking changes introduced with the paho-mqtt pypi package in version 2.0.0. Use v 1.6.1
The changes happened while I was testing minor updates of install scripts (Community Edition Installation scriptsGitHub - martinboller/gse: Bash script installing the latest version of Greenbone Community Edition the artist formerly known as OpenVAS. Greenbone Community Edition is the world’s most used open source vulnerability management solution.) so one system worked the other didn’t which confused me (at least that’s my excuse and I’m sticking to it).

Details:

• Forcing installation of paho-mqtt 1.6.1 as 2.0.0 appear to break ospd-openvas and notus-scanner
• With 2.0.0 the following breakage happen

Traceback (most recent call last):
File “/opt/gvm/gvmpy/lib/python3.11/site-packages/paho/mqtt/client.py”, line 874, in del
self._reset_sockets()
File “/opt/gvm/gvmpy/lib/python3.11/site-packages/paho/mqtt/client.py”, line 1133, in _reset_sockets
self._sock_close()
File “/opt/gvm/gvmpy/lib/python3.11/site-packages/paho/mqtt/client.py”, line 1119, in _sock_close
if not self._sock:
^^^^^^^^^^
AttributeError: ‘MQTTClient’ object has no attribute ‘_sock’

This probably would be better placed into the issue trackers below to notify the team working on these components that a new version of a 3rdparty component is introducing backwards compatibility problems:

• Issues · greenbone/ospd-openvas · GitHub
• Issues · greenbone/notus-scanner · GitHub

Having the same issue. How did you revert back to version 1.6.1?

i try with pip install but no luck…

pip install --upgrade --force-reinstall paho-mqtt==1.6.1
Collecting paho-mqtt==1.6.1
Using cached paho_mqtt-1.6.1-py3-none-any.whl
Installing collected packages: paho-mqtt
Attempting uninstall: paho-mqtt
Found existing installation: paho-mqtt 2.0.0
ERROR: Cannot uninstall paho-mqtt 2.0.0, RECORD file not found. Hint: The package was installed by debian.

You have likely both installed the Debian Package libpaho-mqtt-dev, thus need to run apt -y purge libpaho-mqtt-dev. Then you can install the 1.6.1 version with pip (recommend doing it in a Python virtual environment).

But I guess removing the package python3-paho-mqtt will also remove notus-scanner. Thus you would need to install both manually.

Very good point (as always) from Mr. Bricks

python3 -m pip install paho-mqtt==1.6.1 --use-pep517
python3 -m pip install notus-scanner

Hey. I was running into the same issue and solved the problem by adding the kali-last-snapshot repository to be able to get the last working version of python3-paho-mqtt package.

/etc/apt/sources.list
deb http://http.kali.org/kali kali-last-snapshot main contrib non-free non-free-firmware

Then I installed the version 1.6.1 of python3-paho-mqtt and pinned the version to avoid upgrading
apt install python3-paho-mqtt=1.6.1-1
apt-mark hold python3-paho-mqtt

After restarting all services my installation is finally working again and scans are successfull.

If you install notus-scanner and ospd-openvas manually (via pip) the latest version of paho-mqtt works again. I’ve fixed the compatibility issue and we created new releases for both.