* Remove an useless patch
Changelog:
NSD 4.1.13
Sep 27, 2016
Features
multi-master-check: yes can be used to check all masters for the last version, using the higher version from the configured masters, from Manabu Sonoda.
Support RR type OPENPGPKEY from RFC 7929.
Can config key algorithms with the digest name, eg. 'sha256'.
configure --disable-radix-tree for about 15% lower memory usage.
for type SRV add A/AAAA to the additional section (if possible), just like we already do for type MX.
more extensible edns option handling.
Bugfixes
Fix compile warnings about unused result from write and strtol. and signcompare in minmax retrytime.
Fix#812: fix that make depend fails after distribution.
Fix#817: xfrd update failed loop.
Add robustness against unallocated data in nsec3 trees.
Fix README spelling error of BSD license (reported by Joerg Jung).
Fix multimaster for not tried full zone transfer for a expired zone.
Fix#827: fix compile with openssl 1.1.0 with api=1.1.0.
* Change tarball to released one
Changelog:
Version 1.3.3 (2016-10-01):
- Support longer tweets in a few more places
- Properly escape ampersand characters in user mentions to fix
GtkLabel warnings about wrong escape characters in tooltips
- Fix tweet length calculations for whitespace-only tweets
- Check for duplicated entries in media arrays. This is apparently a
problem on Twitter's side but led to crashes in Corebird (see #627)
- Use the correct nsfw status of a tweet, i.e. the one that can
actually show images.
- Fix a crash when sending a tweet with multiple images attached
- Fix tweet length calculation of quote tweets. This previously led to
tweets getting rejected by the server even though Corebird claimed
they were fine. See #628
Version 1.3.2 (2016-09-25):
- Cope with the tweet length changes introduced by Twitter
- Fix a problem with malformed media URLs
ENet's purpose is to provide a relatively thin, simple and robust network
communication layer on top of UDP (User Datagram Protocol). The primary
feature it provides is optional reliable, in-order delivery of packets.
ENet is NOT intended to be a general purpose high level networking library
that handles authentication, lobbying, server discovery, compression,
encryption and other high level, often application level or dependent tasks.
1.3.2
- The description for org_by_name incorrectly directed people to
use name_by_addr rather than name_by_name.
- Previously GeoIP.country_names was populated from
GeoIP_country_name in the libGeoIP C API. Some versions of the
libGeoIP include non-ASCII ISO-8859-1 characters in these names,
causing encoding errors under Python. When installed under
Python 3, this API now uses UTF-8 country names to populate
this dict.
1.3.1
- Strings with non-ASCII characters would throw a UTF-8 decoding
error. In Python 3, all strings from the database are in UTF-8
and using set_charset to set the character set to something
other than UTF-8 will throw an ValueError exception.
1.3.0
- Python 3 support and significant code cleanup.
- The methods name_by_addr, name_by_addr_v6, name_by_name, and
name_by_name_v6 were added for ISP, Org, and ASNum lookups.
- Portability fixes.
- Expose GEOIP_MMAP_CACHE from the C library.
- Unit tests were added.
1.2.9
- Packaging fix. PyPI-only release.
1.2.8
- Remove unused code.
- Fix low memory error handling and refcount issues on error
reported by Matt Domsch
1.2.7
- Add example test_netspeedcell.py
* Release 0.12.4 (27-Sep-2016)
** Improvements
The TCP connection-hint handler can now accept square-bracket-wrapped IPv6
addresses in colon-hex format. You can produce FURLs with such hints by doing
this:
tub.setLocation("tcp:[2001:0DB8:f00e:eb00::1]:9900")
Foolscap Tubs have been using the IPv6-capable `HostnameEndpoint` since
0.11.0, so this completes the IPv6 support. Note that there are no provisions
for automatically detecting the host's IPv6 addresses: applications that wish
to use addresses (instead of hostnames) must discover those addresses on
their own. #155
A new `tor.control_endpoint_maker()` handler function was added, which is
just like `tor.control_endpoint()` but accepts a callable function, which
will be invoked only when a `tor:` hint is encountered. The function can
return a Deferred which yields the control endpoint. This allows lazy
launching of a Tor daemon, which can also be shared with other application
needs, such as listening on an Onion service. #270
Based on a PR by Jussi Sallinen.
1.6.9 2016-01-11
- Fix a regression introduced in version 1.6.8, which caused
GeoIP_database_info to erroneously return NULL.
1.6.8 2016-01-11
- Allow compilation on older systems by relaxing the autoconf and automake
minimum versions. Thank you, Jose Rubio!
- Avoid potential problems in multi-threaded environments by consistently using
pread() rather than read().
- Fix various small issues reported by clang's static analyser.
1.6.7 2015-10-30
- Fixed a MSVC parser stack overflow when parsing `regionName.c` and
`timeZone.c`. Fix by elliotlo. GitHub #64.
- Updated region codes and timezones.
- When using `GEOIP_MEMORY_CACHE` with an invalid database file, the search
tree traversal could attempt to read memory outside of the memory allocated
for the memory cache, resulting in a segmentation fault. A check was added
to ensure that the traversal code does not try to read beyond the end of the
file, whether in memory, memory mapped, or on disk.
- Previously the return values from file reads were ignored. We now check
these values to ensure that there were no errors.
1.6.6 2015-07-28
- Replaced usage of deprecated fileno, read, and lseek on Visual Studio 2005+
with their ISO C++ conformant replacements.
- A warning about using a double as a float was fixed.
- Fixed segfault when doing a lookup on an empty database.
- Fixed a memcheck error from valgrind in the `_check_mtime`
function.
- Fixed `_check_mtime` to check the return value of `gettimeofday` rather than
just assuming it worked.
1.6.5 2015-02-25
- A segmentation fault in `geoiplookup` was fixed when the utility was passed
an invalid database.
- Additional validation was added for validation of the size used in the
creation of the index cache.
- Changed the code to only look up country codes by using functions which
ensure that we do not try to look past the end of an array.
1.6.4 2015-01-12
- Update Fips codes
- Several issues with the MinGW build were fixed.
- Use a constructor in pread.c to ensure the critical section is always
initialized.
- Added missing include of `io.h` on Windows.
- Fixed `configure` warning that `'missing' script is too old or missing`.
- Previously `nmake /f Makefile.vc clean` would fail on Windows. This was
fixed.
- Obsolete win32 and NetWare make files were removed.
- Numerous documentation updates.
1.6.3 2014-10-29
- Added a GEOIP_SILENCE flag. Include this flag when calling GeoIP_open to
prevent any messages from being written to stderr.
- Mitigate a possible race condition when running under threads in the
GeoIP_cleanup function.
- Added some recommendations to the docs on using this library in a
threaded application.
- Fixed some bugs discovered by coverity, including failure to check some
system call return values and making sure all strings are
null-terminated.
1.6.2 2014-07-08
- Two files required for building on Win32 were missing from the 1.6.1
release. These files were added. There are no changes affecting other
platforms.
1.6.1 2014-06-26
- Improve Win32 support
- Update FIPS codes
1.6.0 2013-10-29
- Remove geoipupdate
1.5.2 2013-10-29
- Update region and time zones
- Fix benchmark script
- Remove autogenerated files ltmain.sh, man/geoip*.1
- Explain how to download free geolite databases in the README.md and
GeoIP.conf.default
- geoipupdate returns 1 on error 0 on success instead of the error code
- README is replaced by README.md
- Add support for OS X Mavericks
1.5.1 2013-05-14
- Update time_zone for Ontario, Canada
- geoiplookup and geoiplookup6 exit code is 0 when user asked for help
- Added -h option to geoiplookup6
- Do not load the database file if nodes and file size do not make
sense.
- Keep README and man pages in pure ascii.
- It doesn't make sense to use GEOIP_INDEX_MODE with small databases
like GEOIP_COUNTRY_EDITION. Instead of undefined behaviour we handle
it silently as GEOIP_MEMORY_MODE
- Update FIPS codes for Greece
1.5.0 2013-02-21
- Rename custom_directory to GeoIP_custom_directory.
- Make sure the database match the requested type. This is helpful for
Databases with the same default name and the general geoiplookup form
(geoiplookup without a specific database)
- apps/geoiplookup6.c use the ipnum instead of the hostname for lookups.
- Use configure.ac instead of configure.in
- Region lookup is a bit faster
- Add pkg-config file
- Updates required to build a Windows DLL under MinGW
- Make API thread safe
- geoiplookup's default charset is UTF8
-l change the charset back to iso8859-1
- geoipupdate skips \r otherwise it might be part of the last
product_id
- Update time zones
- Update Region codes
- Remove the unused CITYCONFIDENCE* database types
- bootstrap rebuilds ltmain.sh
- Update README.OSX for Lion
- Change Macedonia to Macedonia, The Former Yugoslav Republic of
- Add region_name to geoiplookup GEOIP_CITY_EDITION_REV1
- Add region_name to geoiplookup GEOIP_CITY_EDITION_REV0
- Add a --disable-data-files option. This allows you to build and install
the library without having a data/GeoIP.dat file. This is useful when
building the library from a checkout of the source tree, rather than a
tarball
- Add GEOIP_ACCURACYRADIUS_EDITION and GEOIP_ACCURACYRADIUS_EDITION_V6
- Add more database types GEOIP_COUNTRYCONF_EDITION,
GEOIP_CITYCONF_EDITION, GEOIP_REGIONCONF_EDITION and
GEOIP_POSTALCONF_EDITION
- Fix default filenames for GEOIP_NETSPEED_EDITION_REV1 and
GEOIP_NETSPEED_EDITION_REV1_V6
Changes in version 0.2.8.9 - 2016-10-17
Tor 0.2.8.9 backports a fix for a security hole in previous versions
of Tor that would allow a remote attacker to crash a Tor client,
hidden service, relay, or authority. All Tor users should upgrade to
this version, or to 0.2.9.4-alpha. Patches will be released for older
versions of Tor.
o Major features (security fixes, also in 0.2.9.4-alpha):
- Prevent a class of security bugs caused by treating the contents
of a buffer chunk as if they were a NUL-terminated string. At
least one such bug seems to be present in all currently used
versions of Tor, and would allow an attacker to remotely crash
most Tor instances, especially those compiled with extra compiler
hardening. With this defense in place, such bugs can't crash Tor,
though we should still fix them as they occur. Closes ticket
20384 (TROVE-2016-10-001).
o Minor features (geoip):
- Update geoip and geoip6 to the October 4 2016 Maxmind GeoLite2
Country database.
## Changes Between 1.5.x and 1.6.0 (Apr 4th, 2016)
### amq-protocol Update
Minimum `amq-protocol` version is now `2.0.1`.
### Provide More Details in TCP Connection Failure Exception
Contributed by Neil Hooey.
GH issue: [#222](https://github.com/ruby-amqp/amqp/issues/222).
### Ensures frameset is cleared after an unhandled exception
Ensures frameset is cleared after an unhandled exception.
This avoids confusing exceptions such as
```
undefined method `method_class' for #<AMQ::Protocol::BodyFrame:0x0000001e8a60b0>
```
Contributed by Michael Lutsiuk.
GH issue: [#218](https://github.com/ruby-amqp/amqp/issues/218)
ok pettai@
Changes:
Nmap 7.30 [2016-09-29]
Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X. [Daniel Miller]
[NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
[GH#369] coap-resources grabs the list of available resources from CoAP endpoints. [Mak Kolybabi]
fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services. [Stephen Hilt]
ipmi-brute performs authentication brute-forcing on IPMI services. [Claudiu Perta]
ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password. [Claudiu Perta]
ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services. [Claudiu Perta]
[GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics, and lists the messages received. [Mak Kolybabi]
pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs. [Stephen Hilt]
Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by running hundreds of Nmap instances at a time. More details are available from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel Miller, Fyodor]
New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
Improved some output filtering to remove or escape carriage returns ('\r') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford. [Daniel Miller]
[NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller]
Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000. [Daniel Miller]
Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error. [David Fifield]
[GH#543] Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1. [Wonko7]
[Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output:
ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
Reported by Kyle Gustafson. [Daniel Miller]
[NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages. [Daniel Miller]
[NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output. [Daniel Miller]
Nmap 7.25BETA2 [2016-09-01]
[GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing security warnings.
[NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a utf8 library, and native binary packing and unpacking functions. Removed bit library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick Donnelly]
[NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed at https://nmap.org/nsedoc/, and the summaries are below:
oracle-tns-version decodes the version number from Oracle Database Server's TNS listener. [Daniel Miller]
clock-skew analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from January to April (578 of them). The signature count went up 2.2% to 10760. We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
Upgraded Npcap, our new Windows packet capturing driver/library, from version 0.07-r17 to 0.09. This includes many improvements you can read about at https://github.com/nmap/npcap/releases.
[Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows Overlapped I/O API to improve performance of version scan and NSE against many targets on Windows. [Tudor Emil Coman]
[GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing security warnings.
Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[NSE] Added the oracle-tns-version NSE script which decodes the version number from Oracle Database Server's TNS listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel Miller]
[NSE] Added the clock-skew NSE script which analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel Miller]
[Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only zenmap.conf. User will be warned that config cannot be saved and that they should fix the file permissions. [Daniel Miller]
[NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support, like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers will label the ciphersuite strength as "unknown." Reported by Bertrand Bonnefoy-Claudet. [Daniel Miller]
[NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations against LDAP services when version detection or STARTTLS were used. [Tom Sellers]
[Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[GH#426] Remove a workaround for lack of selectable pcap file descriptors on Windows, which required including pcap-int.h and locking us to a single version of libpcap. The new method, using WaitForSingleObject should work with all versions of both WinPcap and Npcap. [Daniel Miller]
[NSE][GH#234] Added a --script-timeout option for limiting run time for every individual NSE script. [Abhishek Singh]
[Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in traditional netcat, it can be used to quickly check the status of a port. Port ranges are not supported since we recommend a certain other tool for port scanning. [Abhishek Singh]
Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and "nmap" with no options result in the same behaviors as on Linux (and no crashes) [Daniel Miller]
[NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode, which are vulnerable to the SWEET32 attack.
[NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when the wordlist contains "{cisco}". Previously, custom wordlists would still end up sending these extra 256 requests. [Sriram Raghunathan]
[GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated completion time. Instead, we'll output a diagnostic error message:
Timing error: localtime(n) is NULL
where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
[NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
[NSE] Added 9 new fingerprints for script http-default-accounts. (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix, Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor) [nnposter]
[NSE] Completed a refresh and validation of almost all fingerprints for script http-default-accounts. Also improved the script speed. [nnposter]
[GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in IPv4. [Abhishek Singh]
Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
[GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
[Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl and --max-conns, due to improper accounting of file descriptors. [Daniel Miller]
FTP Bounce scan: improved some edge cases like anonymous login without password, 500 errors used to indicate port closed, and timeouts for LIST command. Also fixed a 1-byte array overrun (read) when checking for privileged ports. [Daniel Miller]
[GH#140] Allow target DNS names up to 254 bytes. We previously imposed an incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
[NSE] The hard limit on number of concurrently running scripts can now increase above 1000 to match a high user-set --min-parallelism value. [Tudor Emil Coman]
[NSE] Solved a memory corruption issue that would happen if a socket connect operation produced an error immediately, such as Network Unreachable. The event handler was throwing a Lua error, preventing Nsock from cleaning up properly, leaking events. [Abhishek Singh, Daniel Miller]
[NSE] Added the datetime library for performing date and time calculations, and as a helper to the clock-skew script.
[GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully handling truncated replies. If a response is too long, we now fall back to using the system resolver to answer it. [Abhishek Singh]
[Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
Nmap 7.25BETA1 [2016-07-15]
Nmap now ships with and uses Npcap, our new packet sniffing library for Windows. It's based on WinPcap (unmaintained for years), but uses modern Windows APIs for better performance. It also includes security improvements and many bug fixes. See http://npcap.org. And it enables Nmap to perform SYN scans and OS detection against localhost, which we haven't been able to do on Windows since Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel Miller, Fyodor]
[NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
clamav-exec detects ClamAV servers vulnerable to unauthorized clamav command execution. [Paulino Calderon]
http-aspnet-debug detects ASP.NET applications with debugging enabled. [Josh Amishav-Zlatin]
http-internal-ip-disclosure determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. [Josh Amishav-Zlatin]
[GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps its configuration. [Frank Spierings]
[GH#365] sslv2-drown detects vulnerability to the DROWN attack, including CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL. [Bertrand Bonnefoy-Claudet]
vnc-title logs in to VNC servers and grabs the desktop title, geometry, and color depth. [Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from January to April (539 of them). Added 98 fingerprints, bringing the new total to 5187. Additions include Linux 4.4, Android 6.0, Windows Server 2016, and more. [Daniel Miller]
Integrated all 31 of your IPv6 OS fingerprint submissions from January to June. The classifier added 2 groups and expanded several others. Several Apple OS X groups were consolidated, reducing the total number of groups to 93. [Daniel Miller]
Update oldest supported Windows version to Vista (Windows 6.0). This enables the use of the poll Nsock engine, which has significant performance and accuracy advantages. Windows XP users can still use Nmap 7.12, available from https://nmap.org/dist/?C=M&O=D [Daniel Miller]
[NSE] Fix a crash that happened when trying to print the percent done of 0 NSE script threads:
timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
This would happen if no scripts were scheduled in a scan phase and the user pressed a key or specified a short --stats-every interval. Reported by Richard Petrie. [Daniel Miller]
[GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown address family 0" crash on Windows and other platforms that do not set the src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
Retrieve the correct network prefix length for an adapter on Windows. If more than one address was configured on an adapter, the same prefix length would be used for both. This incorrect behavior is still used on Windows XP and earlier. Reported by Niels Bohr. [Daniel Miller]
Changed libdnet-stripped to avoid bailing completely when an interface is encountered with an unsupported hardware address type. Caused "INTERFACES: NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address types. [Daniel Miller]
Improved service detection of Docker and fixed a bug in the output of docker-version script. [Tom Sellers]
Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service probes were matching on port 3389 before our specific Terminal Services probe, causing the port to be labeled as "ssl/unknown". Reported by Josh Amishav-Zlatin.
[NSE] Update to enable smb-os-discovery to augment version detection for certain SMB related services using data that the script discovers. [Tom Sellers]
Improved version detection and descriptions for Microsoft and Samba SMB services. Also addresses certain issues with OS identification. [Tom Sellers]
[NSE] ssl-enum-ciphers will give a failing score to any server with an RSA certificate whose public key uses an exponent of 1. It will also cap the score of an RC4-ciphersuite handshake at C and output a warning referencing RFC 7465. [Daniel Miller]
[NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua . [Daniel Miller]
[GH#399] Zenmap's authorization wrapper now uses an AppleScript method for privilege escalation on OS X, avoiding the deprecated AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
[GH#454] The OS X binary package is distributed in a .dmg disk image that now features an instructive background image. [Vincent Dumont]
[GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to provide all dependencies. We no longer use Macports for this purpose. [Vincent Dumont]
[GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of next to the zenmap.exe executable. This avoids a warning message when closing Zenmap if it produced any stderr output. [Daniel Miller]
[GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts. Reported by alias1. [Paulino Calderon]
[NSE][GH#371] Fix mysql-audit by adding needed library requires to the mysql-cis.audit file. The script would fail with "Failed to load rulebase" message. [Paolo Perego]
[NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse. Also added version detection and information extraction to match the new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
[GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The Probes will elicit responses from target services that allow better finger -printing and information extraction. Also added nmap-payload entry for detecting LDAP on udp. [Tom Sellers]
[NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of authentication sub-types in vnc-info, and all zero-authentication types are recognized and reported. [Daniel Miller]
Changes:
2016/08/30 : 1.6.9
- DOC: Updated 51Degrees readme.
- BUG/MAJOR: stream: properly mark the server address as unset on connect retry
- BUG/MINOR: payload: fix SSLv2 version parser
- MINOR: cli: allow the semi-colon to be escaped on the CLI
2016/08/14 : 1.6.8
- BUG/MEDIUM: lua: the function txn_done() from sample fetches can crash
- BUG/MEDIUM: lua: the function txn_done() from action wrapper can crash
- BUG/MINOR: peers: Fix peers data decoding issue
- DOC: lua: remove old functions
- BUG/MEDIUM: lua: somme HTTP manipulation functions are called without valid requests
- BUG/MEDIUM: stream-int: completely detach connection on connect error
- DOC: minor typo fixes to improve HTML parsing by haproxy-dconv
- BUILD: make proto_tcp.c compatible with musl library
- BUG/MAJOR: compression: initialize avail_in/next_in even during flush
- BUG/MEDIUM: samples: make smp_dup() always duplicate the sample
- MINOR: sample: implement smp_is_safe() and smp_make_safe()
- MINOR: sample: provide smp_is_rw() and smp_make_rw()
- BUG/MAJOR: server: the "sni" directive could randomly cause trouble
- BUG/MEDIUM: stick-tables: do not fail on string keys with no allocated size
- BUG/MEDIUM: stick-table: properly convert binary samples to keys
- MINOR: sample: use smp_make_rw() in upper/lower converters
- BUG/MINOR: peers: some updates are pushed twice after a resync.
- BUG/MINOR: peers: empty chunks after a resync.
- BUG/MAJOR: stick-counters: possible crash when using sc_trackers with wrong table
2016/07/13 : 1.6.7
- MINOR: new function my_realloc2 = realloc + free upon failure
- CLEANUP: fixed some usages of realloc leading to memory leak
- Revert "BUG/MINOR: ssl: fix potential memory leak in ssl_sock_load_dh_params()"
- BUG/MEDIUM: dns: fix alignment issues in the DNS response parser
- BUG/MINOR: Fix endiness issue in DNS header creation code
http://freeradius.org/version2.html
The 2.2.x release series is now End Of Life. Only security fixes will be applied to 2.2.x.
Fix Tunnel-Password crash from home server. Found by Denis Andzakovic.
Fix timer issue when proxying.
Update EAP-TTLS so that MPPE keys are correctly calculated with TLSv1.2.
Always delete MS-MPPE-* from the TTLS inner tunnel. This allows TTLS / EAP-MSCHAPv2 to work.
Don't fall through in empty "case" statements. Fixes#1274.
What's New
Bug Fixes
The following vulnerabilities have been fixed:
* [1]wnpa-sec-2016-56
The Bluetooth L2CAP dissector could crash. ([2]Bug 12825)
* [3]wnpa-sec-2016-57
The NCP dissector could crash. ([4]Bug 12945)
The following bugs have been fixed:
* Flow Graph colored data arrows. ([5]Bug 12065)
* Capture File Properties under Statistics Grayed Out after Stopping
a Capture. ([6]Bug 12071)
* Qt: Hidden columns displayed during live capture. ([7]Bug 12377)
* Unable to save changes to coloring rules. ([8]Bug 12814)
* Bad description for NBSS error code 0x81. ([9]Bug 12835)
* Live capture from USBPcap fails immediately. ([10]Bug 12846)
* Cannot decrypt EAP-TTLS traffic (not recognized as conversation).
([11]Bug 12879)
* Export packet dissections Option disabled after capturing traffic.
([12]Bug 12898)
* Failure to open file named with Chinese or other multibyte
characters. ([13]Bug 12900)
* k12 text file format causes errors. ([14]Bug 12903)
* File | File Set | List Files dialog is blank. ([15]Bug 12904)
* Decoding/Display of an INAP CONNECT message goes wrong for the
Destination Routing Address part. ([16]Bug 12911)
* TLS padding extension dissector length parsing bug. ([17]Bug 12922)
* Diameter dictionary bugs. ([18]Bug 12927)
* File open from menu bar with filter in place causes Wireshark to
crash. ([19]Bug 12929)
* Unable to capture USBPcap trace using tshark with extcap built.
([20]Bug 12949)
* P1 dissector fails a TVB assertion. ([21]Bug 12976)
* Multiple PortableApps instances can once again be run at the same
time.
Updated Protocol Support
6LowPAN, BT L2CAP, CIP, DCOM IRemUnknown, Diameter, DMP, EAP, ISUP,
NBT, NCP, NetFlow, SSL / TLS, and U3V
New and Updated Capture File Support
Ascend, and K12
Upstream changes:
* 3.2.2 (2016/09/25)
* switch to libcurl instead of glib-networking
* implement --post and --ciphers options
* support display of extended_tweet
* 3.2.1 (2016/04/24)
* implement --filter and --record options
* implement editing NG words
* reflect 'don't show Retweets by this user' settings
* add support for thumbnail of Shindan-maker
* print Unicode foreign letters
* compressed display of continuous RTs and favs
Upstream changes:
* update po files
* tco: Ruby2.3 warnings on extracting URLs due to Kernel.#timeout call
* remove notice on Net::ReadTimeout
* stop use of obsolete Gdk::Pixbuf.new
Changes:
version 2016.10.07
Extractors
+ [iprima] Detect geo restriction
* [facebook] Fix video extraction (#10846)
+ [commonprotocols] Support direct MMS links (#10838)
+ [generic] Add support for multiple vimeo embeds (#10862)
+ [nzz] Add support for nzz.ch (#4407)
+ [npo] Detect geo restriction
+ [npo] Add support for 2doc.nl (#10842)
+ [lego] Add support for lego.com (#10369)
+ [tonline] Add support for t-online.de (#10376)
* [techtalks] Relax URL regular expression (#10840)
* [youtube:live] Extend URL regular expression (#10839)
+ [theweatherchannel] Add support for weather.com (#7188)
+ [thisoldhouse] Add support for thisoldhouse.com (#10837)
+ [nhl] Add support for wch2016.com (#10833)
* [pornoxo] Use JWPlatform to improve metadata extraction
version 2016.10.02
Core
* Fix possibly lost extended attributes during post-processing
+ Support pyxattr as well as python-xattr for --xattrs and
--xattr-set-filesize (#9054)
Extractors
+ [jwplatform] Support DASH streams in JWPlayer
+ [jwplatform] Support old-style JWPlayer playlists
+ [byutv:event] Add extractor
* [periscope:user] Fix extraction (#10820)
* [dctp] Fix extraction (#10734)
+ [instagram] Extract video dimensions (#10790)
+ [tvland] Extend URL regular expression (#10812)
+ [vgtv] Add support for tv.aftonbladet.se (#10800)
- [aftonbladet] Remove extractor
* [vk] Fix timestamp and view count extraction (#10760)
+ [vk] Add support for running and finished live streams (#10799)
+ [leeco] Recognize more Le Sports URLs (#10794)
+ [instagram] Extract comments (#10788)
+ [ketnet] Extract mzsource formats (#10770)
* [limelight:media] Improve HTTP formats extraction
version 2016.09.27
Core
+ Add hdcore query parameter to akamai f4m formats
+ Delegate HLS live streams downloading to ffmpeg
+ Improved support for HTML5 subtitles
Extractors
+ [vk] Add support for dailymotion embeds (#10661)
* [promptfile] Fix extraction (#10634)
* [kaltura] Speed up embed regular expressions (#10764)
+ [npo] Add support for anderetijden.nl (#10754)
+ [prosiebensat1] Add support for advopedia sites
* [mwave] Relax URL regular expression (#10735, #10748)
* [prosiebensat1] Fix playlist support (#10745)
+ [prosiebensat1] Add support for sat1gold sites (#10745)
+ [cbsnews:livevideo] Fix extraction and extract m3u8 formats
+ [brightcove:new] Add support for live streams
* [soundcloud] Generalize playlist entries extraction (#10733)
+ [mtv] Add support for new URL schema (#8169, #9808)
* [einthusan] Fix extraction (#10714)
+ [twitter] Support Periscope embeds (#10737)
+ [openload] Support subtitles (#10625)
version 2016.09.24
Core
+ Add support for watchTVeverywhere.com authentication provider based MSOs for
Adobe Pass authentication (#10709)
Extractors
+ [soundcloud:playlist] Provide video id for early playlist entries (#10733)
+ [prosiebensat1] Add support for kabeleinsdoku (#10732)
* [cbs] Extract info from thunder videoPlayerService (#10728)
* [openload] Fix extraction (#10408)
+ [ustream] Support the new HLS streams (#10698)
+ [ooyala] Extract all HLS formats
+ [cartoonnetwork] Add support for Adobe Pass authentication
+ [soundcloud] Extract license metadata
+ [fox] Add support for Adobe Pass authentication (#8584)
+ [tbs] Add support for Adobe Pass authentication (#10642, #10222)
+ [trutv] Add support for Adobe Pass authentication (#10519)
+ [turner] Add support for Adobe Pass authentication
version 2016.09.19
Extractors
+ [crunchyroll] Check if already authenticated (#10700)
- [twitch:stream] Remove fallback to profile extraction when stream is offline
* [thisav] Improve title extraction (#10682)
* [vyborymos] Improve station info extraction
version 2016.09.18
Core
+ Introduce manifest_url and fragments fields in formats dictionary for
fragmented media
+ Provide manifest_url field for DASH segments, HLS and HDS
+ Provide fragments field for DASH segments
* Rework DASH segments downloader to use fragments field
+ Add helper method for Wowza Streaming Engine formats extraction
Extractors
+ [vyborymos] Add extractor for vybory.mos.ru (#10692)
+ [xfileshare] Add title regular expression for streamin.to (#10646)
+ [globo:article] Add support for multiple videos (#10653)
+ [thisav] Recognize HTML5 videos (#10447)
* [jwplatform] Improve JWPlayer detection
+ [mangomolo] Add support for Mangomolo embeds
+ [toutv] Add support for authentication (#10669)
* [franceinter] Fix upload date extraction
* [tv4] Fix HLS and HDS formats extraction (#10659)
* Fixed octal and hex string parsing in options.
* Ignore bogus RTM_DELADDR on FreeBSD when the interface goes down.
* Several statically sized buffers have been removed and replaced
with dynamically sized ones where we have no real idea of what
the size will be.
* Reverse IPv4 route removal order.
* Improved handling of Netlink messages on Linux.
* Poll for tentative link-local addresses if needed.
* Added --small configure directive to reduce binary size
* Allow DHCPv6, IPv4lL and authentication to be compiled out
* dhcpcd requries the interface to be up when considering link status
* Add support for ifa_addrflags in getifaddrs(3)
* Add support for ifam_addrflags and ifam_pid from route(4)
* If T1 or T2 are not set in DHCPv6 messages, use a default from the
lowest pltime instead of the expiration time.
* Validate lease before moving to REQUEST when both ends use
rapid commit.
* If lease validation fails, don't restart the DISCOVER phase if
we're already in it.
- Create a pkg-config file for libunbound in contrib.
- TCP Fast open.
- Finegrained localzone control with define-tag, access-control-tag,
access-control-tag-action, access-control-tag-data, local-zone-tag, and
local-zone-override. And added types always_transparent, always_refuse,
always_nxdomain with that.
- If more than half of tcp connections are in use, a shorter timeout
is used (200 msec, vs 2 minutes) to pressure tcp for new connects.
- [bugzilla: 787 ] Fix#787: outgoing-interface netblock/64 ipv6
option to use linux freebind to use 64bits of entropy for every query
with random local part.
- For #787: prefer-ip6 option for unbound.conf prefers to send
upstream queries to ipv6 servers.
- Add default root hints for IPv6 E.ROOT-SERVERS.NET, 2001:500:a8::e.
- keep debug symbols in windows build.
Bug Fixes:
----------
- [bugzilla: 778 ] Fix unbound 1.5.9: -h segfault (null deref).
- Fix unbound-anchor.exe file location defaults to Program Files with
(x86) appended.
- Fix to not ignore return value of chown() in daemon startup.
- Better help text from -h.
- [bugzilla: 773 ] Fix Non-standard Python location build failure with
pyunbound.
- Improve threadsafety for openssl 0.9.8 ecdsa dnssec signatures.
- Revert fix for NetworkService account on windows due to breakage it
causes.
- Fix that windows install will not overwrite existing service.conf
file (and ignore gui config choices if it exists).
- And delete service.conf.shipped on uninstall.
- In unbound.conf directory: dir immediately changes to that
directory, so that include: file below that is relative to that
directory. With chroot, make the directory an absolute path inside chroot.
- do not delete service.conf on windows uninstall.
- document directory immediate fix and allow EXECUTABLE syntax in it
on windows.
- Fix directory: fix for unbound-checkconf, it restores cwd.
- Use QTYPE=A for QNAME minimisation.
- Keep track of number of time-outs when performing QNAME
minimisation. Stop minimising when number of time-outs for a QNAME/QTYPE
pair is more than three.
- [bugzilla: 775 ] Fix unbound-host and unbound-anchor crash on
windows, ignore null delete for wsaevent.
- Fix spelling in freebind option man page text.
- Fix windows link of ssl with crypt32.
- [bugzilla: 779 ] Fix Union casting is non-portable.
- [bugzilla: 780 ] Fix MAP_ANON not defined in HP-UX 11.31.
- [bugzilla: 781 ] Fix prealloc() is an HP-UX system library call.
- Decrease dp attempts at each QNAME minimisation iteration
- [bugzilla: 784 ] Fix Build configure assumess that having getpwnam
means there is endpwent function available.
- Updated repository with newer flex and bison output.
- Fix static compile on windows missing gdi32.
- Fix dynamic link of anchor-update.exe on windows.
- Fix detect of mingw for MXE package build.
- Fixes for 64bit windows compile.
- [bugzilla: 788 ] Fix for nettle 3.0: Failed to build with Nettle >=
3.0 and --with-libunbound-only --with-nettle.
- Fixed unbound.doxygen for 1.8.11.
- [bugzilla: 798 ] Fix Client-side TCP fast open fails (Linux).
- [bugzilla: 801 ] Fix missing error condition handling in
daemon_create_workers().
- [bugzilla: 802 ] Fix workaround for function parameters that are
"unused" without log_assert.
- [bugzilla: 803 ] Fix confusing (and incorrect) code comment in
daemon_cleanup().
- [bugzilla: 806 ] Fix wrong comment removed.
- use sendmsg instead of sendto for TFO.
- [bugzilla: 807 ] Fix workaround for possible some "unused" function
parameters in test code.
- Note that OPENPGPKEY type is RFC 7929.
- [bugzilla: 804 ] Fix#804: unbound stops responding after outage.
Fixes queries that attempt to wait for an empty list of subqueries.
- Fix for #804: lower num_target_queries for iterator also for failed
lookups.
- [bugzilla: 820 ] Fix set sldns_str2wire_rr_buf() dual meaning len
parameter in each iteration in find_tag_datas().
- [bugzilla: 777 ] Fix OpenSSL 1.1.0 compatibility.
- RFC 7958 is now out, updated docs for unbound-anchor.
- Fix for compile without warnings with openssl 1.1.0.
- [bugzilla: 826 ] Fix refuse_non_local could result in a broken response.
- iana portlist update.
- Fix compile with openssl 1.1.0 with api=1.1.0.
- [bugzilla: 829 ] Fix doc of sldns_wire2str_rdata_buf() return value
has an off-by-one typo.
- Fix incomplete prototypes reported by Dag-Erling Smørgrav.
- [bugzilla: 828 ] Fix missing type in access-control-tag-action
redirect results in NXDOMAIN.
- Take configured minimum TTL into consideration when reducing TTL to
original TTL from RRSIG.
- [bugzilla: 831 ] Fix workaround for spurious fread_chk warning
against petal.c
- Silenced flex-generated sign-unsigned warning print with gcc
diagnostic pragma.
- Fix for new splint on FreeBSD. Fix cast for sockaddr_un.sun_len.
- fix potential memory leak in daemon/remote.c and nullpointer
dereference in validator/autotrust.
- [bugzilla: 883 ] Fix error for duplicate local zone entry.
- [bugzilla: 835 ] Fix --disable-dsa with nettle verify.
v0.14.7
This is a minor release recommended for all users.
Improvements in this release include faster (i.e., less CPU intensive)
hashing on some Intel and ARM64 CPU:s, a more refined dark theme,
CORS headers in the API, and an updated set of default discovery
servers.
Resolved issues since v0.14.6:
#3596: Deadlock no longer occurs on device removal
Make sure the configure script finds the ping or ping6 command on NetBSD, don't
rely on /sbin being in $path of the builder.
Not sure if similar change is needed for other $OPSYS.
Add a comment to patch-ad explaining why some plugins are disabled here.
2016/04/18:
linux/netfilter: fix compile time detection of iptables version >= 1.4.3
2016/03/08:
linux/netfilter: do not add MASQUERADE rule if ports are equals
2016/02/19:
set IPv6 Hop limit to 10
fix HOST: header of event notifications in IPv6
be more compliant on 64bit machines : ui4 in [0;2^32-1]
