- Update from version 7.92 to 7.94
- Update of rootfile not required
- Changelog
7.94 [2023-05-19]
o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made
this effort possible:
+ [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
+ [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley]
+ Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks
to those who opened Python 3-related issues and pull requests: Eli
Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,
Hasan Aliyev, and others.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.71 to the latest version 1.75. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M
(28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC
prefix used previously for lookups.
o Added partial silent-install support to the Nmap Windows
installer. It previously didn't offer silent mode (/S) because the
free/demo version of Npcap Windoes packet capturing driver that it
needs and ships with doesn't include a silent installer. Now with
the /S option, Nmap checks whether Npcap is already installed
(either the free version or OEM) and will silently install itself if
so. This is similar to how the Wireshark installer works and is
particularly helpful for organizations that want to fully automate
their Nmap (and Npcap) deployments. See
https://nmap.org/nmap-silent-install for more details.
o Lots of profile-guided memory and processing improvements for Nmap, including
OS fingerprint matching, probe matching and retransmission lookups for large
hostgroups, and service name lookups. Overhauled Nmap's string interning and
several other startup-related procedures to speed up start times, especially
for scans using OS detection. [Daniel Miller]
o Integrated many of the most-submitted IPv4 OS fingerprints for recent
versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,
bringing the new total to 5700!
o [NSE][GH#548] Added the tftp-version script which requests a
nonexistent file from a TFTP server and matches the error message
to a database of known software. [Mak Kolybabi]
o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in
listen mode with the --keep-open option. This also enables --broker and
--chat via UDP. [Daniel Miller]
o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for
RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;
CVE-2022-3786) which don't impact Nmap proper since it doesn't do
certificate validation, but could possibly impact Ncat when the
--ssl-verify option is used.
o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap
executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL
legacy provider failed to load." We actually already have the legacy
provider built-in to our OpenSSL builds, and that's why loading the
external one fails.
o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same
data source, nmap-service-probes, for data payloads. Previously, the
nmap-payloads file was used for port scan. Port scan responses will be used
to kick-start the version matching process. [Daniel Miller]
o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,
the same as it already does for TCP services with SSL/TLS encryption. The
DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent
sooner in the scan. [Daniel Miller]
o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming
connections. [Daniel Miller]
o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on
platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
o [Ncat] Addressed an issue from the Debian bug tracker
(https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data
received immediately after a SOCKS CONNECT response. Ncat can now be
correctly used in the ProxyCommand option of OpenSSH.
o Improved DNS domain name parsing to avoid recursion and enforce name length
limits, avoiding a theoretical stack overflow issue with certain crafted DNS
server responses, reported by Philippe Antoine.
o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH
errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake.
o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on
Windows by avoiding a 125ms wait for every read from
STDIN. [scriptjunkie]
o [GH#1192][Windows] Periodically reset the system idle timer to keep the
system from going to sleep while scans are in process. This only affects port
scans and OS detection scans, since NSE and version scan do not rely on
timing data to adjust speed.
o Updated the Nmap Public Source License (NPSL) to Version 0.95. This
just clarifies that the derivative works definition and all other
license clauses only apply to parties who choose to accept the
license in return for the special rights granted (such as Nmap
redistribution rights). If a party can do everything they need to
using copyright provisions outside of this license such as fair use,
we support that and aren't trying to claim any control over their
work. Versions of Nmap released under previous versions of the NPSL
may also be used under the NPSL 0.95 terms.
o Avoid storing many small strings from IPv4 OS detection results in the global
string_pool. These were effectively leaked after a host is done being
scanned, since string_pool allocations are not freed until Nmap quits.
7.93 [2022-09-01]
o This release commemorates Nmap's 25th anniversary! It all started with this
September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
o [Windows] Upgraded Npcap (our Windows raw packet capturing and
transmission driver) from version 1.50 to the latest version 1.71. It
includes dozens of performance improvements, bug fixes and feature
enhancements described at https://npcap.com/changelog.
o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
Binaries for this release include OpenSSL 3.0.5.
o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux
when no IPv4 addresses were configured. [Daniel Miller, nnposter]
o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer
result in a stack traceback in debug output nor a "ERROR: script execution
failed" message in script output, since the intended behavior has always been
to end the script immediately without output. [Daniel Miller]
o [GH#2494] Update the Nmap output DTD to match actual output since the
`<hosthint>` element was added in Nmap 7.90.
o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add
targets in script pre-scanning phase. [Daniel Miller]
o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support
setting a client identifier. [nnposter]
o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version
correctly for Oracle 19c or newer [linholmes]
o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate
information about client connections and/or cluster nodes. [nnposter]
o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD
[benpratt, nnposter]
o [GH#2464] Script ipidseq was broken due to calling an unreachable library
function. [nnposter]
o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap
was compiled with OpenSSL in a custom location. [nnposter]
o [NSE] Improvements to event handling and pcap socket garbage collection,
fixing potential hangs and crashes. [Daniel Miller]
o We ceased creating the Nmap win32 binary zipfile. It was useful back when
you could just unzip it and run Nmap from there, but that hasn't worked well
for many years. The win32 self-installer handles Npcap installation and many
other dependencies and complexities. Anyone who needs the binaries for some
reason can still install Nmap on any system and retrieve them from there.
For now we're keeping the Win32 zipfile in the Nmap OEM Edition
(https://nmap.org/oem) for companies building Nmap into their own
products. But even in that case we believe that running the Nmap OEM
self-installer in silent mode is a better approach.
o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming
ASCII input even though other parts of the library had been passing it Unicode.
o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier,
cpe:/a:microsoft:internet_information_services [Esa Jokinen]
o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are
encountered. Added parsers for most standard data types. [Daniel Miller]
o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
There are no functional changes in these files, but they are however
linked against OpenSSL 1.1.1 and need to be re-shipped before we remove
the legacy library.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
Bumping across one of our scripts with very long trailing whitespaces, I
thought it might be a good idea to clean these up. Doing so, some
missing or inconsistent licence headers were fixed.
There is no need in shipping all these files en bloc, as their
functionality won't change.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
* Add a Summary and Services field to all pak lfs files
* Replace occurances of INSTALL_INITSCRIPT with new INSTALL_INITSCRIPTS
macro in all pak lfs files.
Signed-off-by: Robin Roevens <robin.roevens@disroot.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
- Update from 7.80 to 7.91
- Update of rootfile
- Changelog is too long to include here
Full details can be found in the CHANGELOG file in the source tarball
- Added patch to fix segfault - https://github.com/nmap/nmap/issues/2154
- Ran with unpatched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Segmentation fault - flagged problem in #12647
- Ran with patched 7.91 version
$ touch /tmp/foo
$ nc -U /tmp/foo
Ncat: Connection refused. - Expected behaviour
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
- Update from 7.80 to 7.91
- Update of rootfile
- Changelog is too long to include here
Full details can be found in the CHANGELOG file in the source tarball
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Not sure why this has ever been there. This simply makes it
nicer to read and edit because we can have line-breaks now.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
