From patchwork Mon Jul 24 16:15:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7016 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R8ldm5ySWz3wfV for ; Mon, 24 Jul 2023 16:16:12 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R8ldT55Fhz1Gy; Mon, 24 Jul 2023 16:15:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R8ldT4F4zz2ycT; Mon, 24 Jul 2023 16:15:57 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R8ldT0SkSz2xRH for ; Mon, 24 Jul 2023 16:15:57 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4R8ldQ5wclzdP; Mon, 24 Jul 2023 16:15:54 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1690215354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zI8Jc6eLnnZHc4DE4AfnPKtX1LCJahCjy4fkEkq9QBQ=; b=S7aaoigaMvU9yeubKtwVHXjtw2uil6WW561r3LNRp81x6YP2/q5GKtDNZqPcxC3z2jSREW R8jhFQFt6o3eBNAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1690215354; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=zI8Jc6eLnnZHc4DE4AfnPKtX1LCJahCjy4fkEkq9QBQ=; b=KenI5msGoypjBlc43JNDCOOQNtRhp5uh5+ZY8SfL64KSdLQPoQqERP6hr6NUDleurxj10d Uk9p/7y/0GzERYs78NzjPbxjE+3BImuO2VJstnWzvcMOdpSdy/O+8v6DH2qgcCqWc1Hepe Fx+1ak+wb11Coe03lhMeMPRh0me8pR41nnpRLTQqcZjeqMueoWAeGhXA3uQoIALIysKhAM ySg37mhttyXjHMQEc0DAaXZJhQYFtkodcvcGlQ2ZXY/qcBCndmY9WAf+8skKYfemndjym7 uDTCR7NwV/rSks6U97hytCV6HCdTt3h/b5HhGosn+h/hGfQvA1tCqFIgeF/AGA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] nmap: Update to version 7.94 Date: Mon, 24 Jul 2023 18:15:38 +0200 Message-ID: <20230724161546.2683103-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 7.92 to 7.94 - Update of rootfile - Changelog 7.94 [2023-05-19] o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made this effort possible: + [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík] + [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley] + Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks to those who opened Python 3-related issues and pull requests: Eli Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa, Hasan Aliyev, and others. o [Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.71 to the latest version 1.75. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog. o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M (28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC prefix used previously for lookups. o Added partial silent-install support to the Nmap Windows installer. It previously didn't offer silent mode (/S) because the free/demo version of Npcap Windoes packet capturing driver that it needs and ships with doesn't include a silent installer. Now with the /S option, Nmap checks whether Npcap is already installed (either the free version or OEM) and will silently install itself if so. This is similar to how the Wireshark installer works and is particularly helpful for organizations that want to fully automate their Nmap (and Npcap) deployments. See https://nmap.org/nmap-silent-install for more details. o Lots of profile-guided memory and processing improvements for Nmap, including OS fingerprint matching, probe matching and retransmission lookups for large hostgroups, and service name lookups. Overhauled Nmap's string interning and several other startup-related procedures to speed up start times, especially for scans using OS detection. [Daniel Miller] o Integrated many of the most-submitted IPv4 OS fingerprints for recent versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints, bringing the new total to 5700! o [NSE][GH#548] Added the tftp-version script which requests a nonexistent file from a TFTP server and matches the error message to a database of known software. [Mak Kolybabi] o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in listen mode with the --keep-open option. This also enables --broker and --chat via UDP. [Daniel Miller] o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602; CVE-2022-3786) which don't impact Nmap proper since it doesn't do certificate validation, but could possibly impact Ncat when the --ssl-verify option is used. o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4 o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL legacy provider failed to load." We actually already have the legacy provider built-in to our OpenSSL builds, and that's why loading the external one fails. o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same data source, nmap-service-probes, for data payloads. Previously, the nmap-payloads file was used for port scan. Port scan responses will be used to kick-start the version matching process. [Daniel Miller] o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel, the same as it already does for TCP services with SSL/TLS encryption. The DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent sooner in the scan. [Daniel Miller] o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming connections. [Daniel Miller] o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller] o [Ncat] Addressed an issue from the Debian bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data received immediately after a SOCKS CONNECT response. Ncat can now be correctly used in the ProxyCommand option of OpenSSH. o Improved DNS domain name parsing to avoid recursion and enforce name length limits, avoiding a theoretical stack overflow issue with certain crafted DNS server responses, reported by Philippe Antoine. o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone] o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake. o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on Windows by avoiding a 125ms wait for every read from STDIN. [scriptjunkie] o [GH#1192][Windows] Periodically reset the system idle timer to keep the system from going to sleep while scans are in process. This only affects port scans and OS detection scans, since NSE and version scan do not rely on timing data to adjust speed. o Updated the Nmap Public Source License (NPSL) to Version 0.95. This just clarifies that the derivative works definition and all other license clauses only apply to parties who choose to accept the license in return for the special rights granted (such as Nmap redistribution rights). If a party can do everything they need to using copyright provisions outside of this license such as fair use, we support that and aren't trying to claim any control over their work. Versions of Nmap released under previous versions of the NPSL may also be used under the NPSL 0.95 terms. o Avoid storing many small strings from IPv4 OS detection results in the global string_pool. These were effectively leaked after a host is done being scanned, since string_pool allocations are not freed until Nmap quits. 7.93 [2022-09-01] o This release commemorates Nmap's 25th anniversary! It all started with this September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html. o [Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.50 to the latest version 1.71. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog. o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions. Binaries for this release include OpenSSL 3.0.5. o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1 o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux when no IPv4 addresses were configured. [Daniel Miller, nnposter] o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer result in a stack traceback in debug output nor a "ERROR: script execution failed" message in script output, since the intended behavior has always been to end the script immediately without output. [Daniel Miller] o [GH#2494] Update the Nmap output DTD to match actual output since the `` element was added in Nmap 7.90. o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add targets in script pre-scanning phase. [Daniel Miller] o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support setting a client identifier. [nnposter] o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version correctly for Oracle 19c or newer [linholmes] o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate information about client connections and/or cluster nodes. [nnposter] o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD [benpratt, nnposter] o [GH#2464] Script ipidseq was broken due to calling an unreachable library function. [nnposter] o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap was compiled with OpenSSL in a custom location. [nnposter] o [NSE] Improvements to event handling and pcap socket garbage collection, fixing potential hangs and crashes. [Daniel Miller] o We ceased creating the Nmap win32 binary zipfile. It was useful back when you could just unzip it and run Nmap from there, but that hasn't worked well for many years. The win32 self-installer handles Npcap installation and many other dependencies and complexities. Anyone who needs the binaries for some reason can still install Nmap on any system and retrieve them from there. For now we're keeping the Win32 zipfile in the Nmap OEM Edition (https://nmap.org/oem) for companies building Nmap into their own products. But even in that case we believe that running the Nmap OEM self-installer in silent mode is a better approach. o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming ASCII input even though other parts of the library had been passing it Unicode. o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier, cpe:/a:microsoft:internet_information_services [Esa Jokinen] o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are encountered. Added parsers for most standard data types. [Daniel Miller] o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1 strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712. o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses as hostnames, instead of IPv4/IPv6 addresses. [pomu0325] Signed-off-by: Adolf Belka --- config/rootfiles/packages/nmap | 7 ++----- lfs/nmap | 6 +++--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/config/rootfiles/packages/nmap b/config/rootfiles/packages/nmap index 8c4fb78da..b7627c97f 100644 --- a/config/rootfiles/packages/nmap +++ b/config/rootfiles/packages/nmap @@ -5,8 +5,6 @@ usr/bin/nping #usr/share/man/es/man1 #usr/share/man/es/man1/nmap.1 #usr/share/man/fr/man1/nmap.1 -#usr/share/man/hr -#usr/share/man/hr/man1 #usr/share/man/hr/man1/nmap.1 #usr/share/man/hu #usr/share/man/hu/man1 @@ -24,8 +22,6 @@ usr/bin/nping #usr/share/man/pt_PT #usr/share/man/pt_PT/man1 #usr/share/man/pt_PT/man1/nmap.1 -#usr/share/man/ro -#usr/share/man/ro/man1 #usr/share/man/ro/man1/nmap.1 #usr/share/man/ru/man1/nmap.1 #usr/share/man/sk @@ -37,7 +33,6 @@ usr/bin/nping #usr/share/nmap usr/share/nmap/nmap-mac-prefixes usr/share/nmap/nmap-os-db -usr/share/nmap/nmap-payloads usr/share/nmap/nmap-protocols usr/share/nmap/nmap-rpc usr/share/nmap/nmap-service-probes @@ -108,6 +103,7 @@ usr/share/nmap/nselib/data/rtsp-urls.txt usr/share/nmap/nselib/data/snmpcommunities.lst usr/share/nmap/nselib/data/ssl-fingerprints usr/share/nmap/nselib/data/targets-ipv6-wordlist +usr/share/nmap/nselib/data/tftp-fingerprints.lua usr/share/nmap/nselib/data/tftplist.txt usr/share/nmap/nselib/data/usernames.lst usr/share/nmap/nselib/data/vhosts-default.lst @@ -805,6 +801,7 @@ usr/share/nmap/scripts/telnet-brute.nse usr/share/nmap/scripts/telnet-encryption.nse usr/share/nmap/scripts/telnet-ntlm-info.nse usr/share/nmap/scripts/tftp-enum.nse +usr/share/nmap/scripts/tftp-version.nse usr/share/nmap/scripts/tls-alpn.nse usr/share/nmap/scripts/tls-nextprotoneg.nse usr/share/nmap/scripts/tls-ticketbleed.nse diff --git a/lfs/nmap b/lfs/nmap index 52fd077b7..991245500 100644 --- a/lfs/nmap +++ b/lfs/nmap @@ -26,7 +26,7 @@ include Config SUMMARY = Network exploration tool and security scanner -VER = 7.92 +VER = 7.94 THISAPP = nmap-$(VER) DL_FILE = $(THISAPP).tar.bz2 @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/$(THISAPP) TARGET = $(DIR_INFO)/$(THISAPP) PROG = nmap -PAK_VER = 15 +PAK_VER = 16 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 0f3022e797ffca7d1d3497990c86bb60ac9a80bb93cb4ec7fcfa4f51782cb8d79d4f0aca0fa6119bfd604cfe7b89af3d4223ce13ad3e6c948c021909aebd956b +$(DL_FILE)_BLAKE2 = 5819b458b50e33f6a507ad3c32a731c13e730c40d31a61731c3cfcd41fad8e3fdfcbb721ef46b05a80e406d0a646d0966d4b645551711144822551ef374a443a install : $(TARGET) From patchwork Mon Jul 24 16:15:46 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7024 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4R8ldz4PcDz3x2l for ; Mon, 24 Jul 2023 16:16:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4R8ldq6N0Jz1mj; Mon, 24 Jul 2023 16:16:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4R8ldq5TPFz3078; Mon, 24 Jul 2023 16:16:15 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4R8ldd2zY3z2xRH for ; Mon, 24 Jul 2023 16:16:05 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4R8ldX5H2Bz1h4; Mon, 24 Jul 2023 16:16:00 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1690215360; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SyV+rugvGuFIqqR5hjDflfSfSI4RR/FZk7iUYHtpkP4=; b=5SU3kcRN47b1iIY2ysve/Ql6n060t/3V1dnW3dP2fzZEbAcGbMNQ3QsBlTOvN609fldVWp bskRocWgEZzfmFDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1690215360; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=SyV+rugvGuFIqqR5hjDflfSfSI4RR/FZk7iUYHtpkP4=; b=rSOQKjrvmc6vEAyf8cMRH81OD+bdgmb1hdBFmZStLOPVsllRTJUpTZo/yy46Yu+pZbsEd0 rKdleEg47ZG13TCej/EbJBxn34BXJVHcSUIvva3K0enYA8Ur7X2XQtXPGvcHyo/RDeCrpa NA/7ahqN4ARhrtIYuQXK4WT/h/uCe+3xxq4NAgM5VoVT+VpEuVuh0K4ceQnvw+1D37BQZr H+RVxh1wPkdiqr+fjA8vZlrLu7jc/GfQN8J5WxA1w0qjNl0wC1nG//cLfWW3A5x2aZzMz6 y8oxGciYUTOekGQ6JGgPfjZV6qUAojPXzoSpNKlTgqyPzHdFlhx5T9NMPgqEiA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] ncat: Update to version 7.94 Date: Mon, 24 Jul 2023 18:15:46 +0200 Message-ID: <20230724161546.2683103-9-adolf.belka@ipfire.org> In-Reply-To: <20230724161546.2683103-1-adolf.belka@ipfire.org> References: <20230724161546.2683103-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from version 7.92 to 7.94 - Update of rootfile not required - Changelog 7.94 [2023-05-19] o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made this effort possible: + [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík] + [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley] + Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks to those who opened Python 3-related issues and pull requests: Eli Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa, Hasan Aliyev, and others. o [Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.71 to the latest version 1.75. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog. o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M (28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC prefix used previously for lookups. o Added partial silent-install support to the Nmap Windows installer. It previously didn't offer silent mode (/S) because the free/demo version of Npcap Windoes packet capturing driver that it needs and ships with doesn't include a silent installer. Now with the /S option, Nmap checks whether Npcap is already installed (either the free version or OEM) and will silently install itself if so. This is similar to how the Wireshark installer works and is particularly helpful for organizations that want to fully automate their Nmap (and Npcap) deployments. See https://nmap.org/nmap-silent-install for more details. o Lots of profile-guided memory and processing improvements for Nmap, including OS fingerprint matching, probe matching and retransmission lookups for large hostgroups, and service name lookups. Overhauled Nmap's string interning and several other startup-related procedures to speed up start times, especially for scans using OS detection. [Daniel Miller] o Integrated many of the most-submitted IPv4 OS fingerprints for recent versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints, bringing the new total to 5700! o [NSE][GH#548] Added the tftp-version script which requests a nonexistent file from a TFTP server and matches the error message to a database of known software. [Mak Kolybabi] o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in listen mode with the --keep-open option. This also enables --broker and --chat via UDP. [Daniel Miller] o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602; CVE-2022-3786) which don't impact Nmap proper since it doesn't do certificate validation, but could possibly impact Ncat when the --ssl-verify option is used. o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4 o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL legacy provider failed to load." We actually already have the legacy provider built-in to our OpenSSL builds, and that's why loading the external one fails. o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same data source, nmap-service-probes, for data payloads. Previously, the nmap-payloads file was used for port scan. Port scan responses will be used to kick-start the version matching process. [Daniel Miller] o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel, the same as it already does for TCP services with SSL/TLS encryption. The DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent sooner in the scan. [Daniel Miller] o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming connections. [Daniel Miller] o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller] o [Ncat] Addressed an issue from the Debian bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data received immediately after a SOCKS CONNECT response. Ncat can now be correctly used in the ProxyCommand option of OpenSSH. o Improved DNS domain name parsing to avoid recursion and enforce name length limits, avoiding a theoretical stack overflow issue with certain crafted DNS server responses, reported by Philippe Antoine. o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone] o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake. o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on Windows by avoiding a 125ms wait for every read from STDIN. [scriptjunkie] o [GH#1192][Windows] Periodically reset the system idle timer to keep the system from going to sleep while scans are in process. This only affects port scans and OS detection scans, since NSE and version scan do not rely on timing data to adjust speed. o Updated the Nmap Public Source License (NPSL) to Version 0.95. This just clarifies that the derivative works definition and all other license clauses only apply to parties who choose to accept the license in return for the special rights granted (such as Nmap redistribution rights). If a party can do everything they need to using copyright provisions outside of this license such as fair use, we support that and aren't trying to claim any control over their work. Versions of Nmap released under previous versions of the NPSL may also be used under the NPSL 0.95 terms. o Avoid storing many small strings from IPv4 OS detection results in the global string_pool. These were effectively leaked after a host is done being scanned, since string_pool allocations are not freed until Nmap quits. 7.93 [2022-09-01] o This release commemorates Nmap's 25th anniversary! It all started with this September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html. o [Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.50 to the latest version 1.71. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog. o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions. Binaries for this release include OpenSSL 3.0.5. o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1 o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux when no IPv4 addresses were configured. [Daniel Miller, nnposter] o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer result in a stack traceback in debug output nor a "ERROR: script execution failed" message in script output, since the intended behavior has always been to end the script immediately without output. [Daniel Miller] o [GH#2494] Update the Nmap output DTD to match actual output since the `` element was added in Nmap 7.90. o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add targets in script pre-scanning phase. [Daniel Miller] o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support setting a client identifier. [nnposter] o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version correctly for Oracle 19c or newer [linholmes] o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate information about client connections and/or cluster nodes. [nnposter] o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD [benpratt, nnposter] o [GH#2464] Script ipidseq was broken due to calling an unreachable library function. [nnposter] o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap was compiled with OpenSSL in a custom location. [nnposter] o [NSE] Improvements to event handling and pcap socket garbage collection, fixing potential hangs and crashes. [Daniel Miller] o We ceased creating the Nmap win32 binary zipfile. It was useful back when you could just unzip it and run Nmap from there, but that hasn't worked well for many years. The win32 self-installer handles Npcap installation and many other dependencies and complexities. Anyone who needs the binaries for some reason can still install Nmap on any system and retrieve them from there. For now we're keeping the Win32 zipfile in the Nmap OEM Edition (https://nmap.org/oem) for companies building Nmap into their own products. But even in that case we believe that running the Nmap OEM self-installer in silent mode is a better approach. o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming ASCII input even though other parts of the library had been passing it Unicode. o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier, cpe:/a:microsoft:internet_information_services [Esa Jokinen] o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are encountered. Added parsers for most standard data types. [Daniel Miller] o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1 strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712. o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses as hostnames, instead of IPv4/IPv6 addresses. [pomu0325] Signed-off-by: Adolf Belka --- lfs/ncat | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/lfs/ncat b/lfs/ncat index 6ba2c538b..9bbbeff3d 100644 --- a/lfs/ncat +++ b/lfs/ncat @@ -1,7 +1,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2023 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -26,7 +26,7 @@ include Config SUMMARY = Network tool to concatenate and redirect sockets -VER = 7.92 +VER = 7.94 THISAPP = ncat-$(VER) DL_FILE = nmap-$(VER).tar.bz2 @@ -34,7 +34,7 @@ DL_FROM = $(URL_IPFIRE) DIR_APP = $(DIR_SRC)/nmap-$(VER) TARGET = $(DIR_INFO)/$(THISAPP) PROG = ncat -PAK_VER = 9 +PAK_VER = 10 DEPS = @@ -48,7 +48,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 0f3022e797ffca7d1d3497990c86bb60ac9a80bb93cb4ec7fcfa4f51782cb8d79d4f0aca0fa6119bfd604cfe7b89af3d4223ce13ad3e6c948c021909aebd956b +$(DL_FILE)_BLAKE2 = 5819b458b50e33f6a507ad3c32a731c13e730c40d31a61731c3cfcd41fad8e3fdfcbb721ef46b05a80e406d0a646d0966d4b645551711144822551ef374a443a install : $(TARGET)