CVS commit: pkgsrc/net/nmap

["Maya Rashish" <maya%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   maya
Date:           Fri Oct 14 15:11:17 UTC 2016

Modified Files:
        pkgsrc/net/nmap: Makefile distinfo
        pkgsrc/net/nmap/patches: patch-zenmap_test_run__tests.py

Log Message:
nmap: update to 7.30

ok pettai@

Changes:
Nmap 7.30 [2016-09-29]

    Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X. [Daniel 
Miller]
    [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
        [GH#369] coap-resources grabs the list of available resources from CoAP endpoints. [Mak Kolybabi]
        fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services. [Stephen Hilt]
        ipmi-brute performs authentication brute-forcing on IPMI services. [Claudiu Perta]
        ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password. [Claudiu Perta]
        ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services. [Claudiu Perta]
        [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics, and lists the messages received. [Mak Kolybabi]
        pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs. [Stephen Hilt]
    Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by 
running hundreds of Nmap instances at a time. More details are available from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel Miller, Fyodor]
    New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
    Improved some output filtering to remove or escape carriage returns ('\r') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford. [Daniel 
Miller]
    [NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller]
    Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000. 
[Daniel Miller]
    Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error. [David Fifield]
    [GH#543] Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1. [Wonko7]
    [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output:

        ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:
        /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture

    Reported by Kyle Gustafson. [Daniel Miller]
    [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages. [Daniel Miller]
    [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output. [Daniel Miller]

Nmap 7.25BETA2 [2016-09-01]

    [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing 
security warnings.
    [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a utf8 library, and native binary packing and unpacking functions. Removed bit library, added bits.lua, replaced 
base32, base64, and bin libraries. [Patrick Donnelly]
    [NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed at https://nmap.org/nsedoc/, and the summaries are below:
        oracle-tns-version decodes the version number from Oracle Database Server's TNS listener. [Daniel Miller]
        clock-skew analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. [Daniel Miller]
    Integrated all of your service/version detection fingerprints submitted from January to April (578 of them). The signature count went up 2.2% to 10760. We now detect 1122 protocols, from 
elasticsearch, fhem, and goldengate to ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
    Upgraded Npcap, our new Windows packet capturing driver/library, from version 0.07-r17 to 0.09. This includes many improvements you can read about at https://github.com/nmap/npcap/releases.
    [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows Overlapped I/O API to improve performance of version scan and NSE against many targets on Windows. [Tudor Emil Coman]
    [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing 
security warnings.
    Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of 
targets. [Tudor Emil Coman]
    [NSE] Added the oracle-tns-version NSE script which decodes the version number from Oracle Database Server's TNS listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel Miller]
    [NSE] Added the clock-skew NSE script which analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. 
https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel Miller]
    [Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
    [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only zenmap.conf. User will be warned that config cannot be saved and that they should fix the file permissions. [Daniel Miller]
    [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support, like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers will label the ciphersuite strength as 
"unknown." Reported by Bertrand Bonnefoy-Claudet. [Daniel Miller]
    [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations against LDAP services when version detection or STARTTLS were used. [Tom Sellers]
    [Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
    [GH#426] Remove a workaround for lack of selectable pcap file descriptors on Windows, which required including pcap-int.h and locking us to a single version of libpcap. The new method, using 
WaitForSingleObject should work with all versions of both WinPcap and Npcap. [Daniel Miller]
    [NSE][GH#234] Added a --script-timeout option for limiting run time for every individual NSE script. [Abhishek Singh]
    [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in traditional netcat, it can be used to quickly check the status of a port. Port ranges are not supported since we recommend a 
certain other tool for port scanning. [Abhishek Singh]
    Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and "nmap" with no options result in the same behaviors as on Linux (and no crashes) [Daniel Miller]
    [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode, which are vulnerable to the SWEET32 attack.
    [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when the wordlist contains "{cisco}". Previously, custom wordlists would still end up sending these extra 256 
requests. [Sriram Raghunathan]
    [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated completion time. Instead, we'll output a diagnostic error message:

        Timing error: localtime(n) is NULL

    where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
    [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
    [NSE] Added 9 new fingerprints for script http-default-accounts. (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix, Schneider controller, Xerox printer, Citrix NetScaler, 
ESXi hypervisor) [nnposter]
    [NSE] Completed a refresh and validation of almost all fingerprints for script http-default-accounts. Also improved the script speed. [nnposter]
    [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in IPv4. [Abhishek Singh]
    Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of 
targets. [Tudor Emil Coman]
    [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
    [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
    [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl and --max-conns, due to improper accounting of file descriptors. [Daniel Miller]
    FTP Bounce scan: improved some edge cases like anonymous login without password, 500 errors used to indicate port closed, and timeouts for LIST command. Also fixed a 1-byte array overrun (read) 
when checking for privileged ports. [Daniel Miller]
    [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
    [NSE] The hard limit on number of concurrently running scripts can now increase above 1000 to match a high user-set --min-parallelism value. [Tudor Emil Coman]
    [NSE] Solved a memory corruption issue that would happen if a socket connect operation produced an error immediately, such as Network Unreachable. The event handler was throwing a Lua error, 
preventing Nsock from cleaning up properly, leaking events. [Abhishek Singh, Daniel Miller]
    [NSE] Added the datetime library for performing date and time calculations, and as a helper to the clock-skew script.
    [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully handling truncated replies. If a response is too long, we now fall back to using the system resolver to answer it. 
[Abhishek Singh]
    [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]

Nmap 7.25BETA1 [2016-07-15]

    Nmap now ships with and uses Npcap, our new packet sniffing library for Windows. It's based on WinPcap (unmaintained for years), but uses modern Windows APIs for better performance. It also 
includes security improvements and many bug fixes. See http://npcap.org. And it enables Nmap to perform SYN scans and OS detection against localhost, which we haven't been able to do on Windows since 
Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel Miller, Fyodor]
    [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
        clamav-exec detects ClamAV servers vulnerable to unauthorized clamav command execution. [Paulino Calderon]
        http-aspnet-debug detects ASP.NET applications with debugging enabled. [Josh Amishav-Zlatin]
        http-internal-ip-disclosure determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. [Josh Amishav-Zlatin]
        [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps its configuration. [Frank Spierings]
        [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL. [Bertrand Bonnefoy-Claudet]
        vnc-title logs in to VNC servers and grabs the desktop title, geometry, and color depth. [Daniel Miller]
    Integrated all of your IPv4 OS fingerprint submissions from January to April (539 of them). Added 98 fingerprints, bringing the new total to 5187. Additions include Linux 4.4, Android 6.0, 
Windows Server 2016, and more. [Daniel Miller]
    Integrated all 31 of your IPv6 OS fingerprint submissions from January to June. The classifier added 2 groups and expanded several others. Several Apple OS X groups were consolidated, reducing 
the total number of groups to 93. [Daniel Miller]
    Update oldest supported Windows version to Vista (Windows 6.0). This enables the use of the poll Nsock engine, which has significant performance and accuracy advantages. Windows XP users can 
still use Nmap 7.12, available from https://nmap.org/dist/?C=M&O=D [Daniel Miller]
    [NSE] Fix a crash that happened when trying to print the percent done of 0 NSE script threads:

        timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.

    This would happen if no scripts were scheduled in a scan phase and the user pressed a key or specified a short --stats-every interval. Reported by Richard Petrie. [Daniel Miller]
    [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown address family 0" crash on Windows and other platforms that do not set the src_addr argument to recvfrom for TCP sockets. 
[Daniel Miller]
    Retrieve the correct network prefix length for an adapter on Windows. If more than one address was configured on an adapter, the same prefix length would be used for both. This incorrect behavior 
is still used on Windows XP and earlier. Reported by Niels Bohr. [Daniel Miller]
    Changed libdnet-stripped to avoid bailing completely when an interface is encountered with an unsupported hardware address type. Caused "INTERFACES: NONE FOUND!" bugs in Nmap whenever Linux 
kernel added new hardware address types. [Daniel Miller]
    Improved service detection of Docker and fixed a bug in the output of docker-version script. [Tom Sellers]
    Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service probes were matching on port 3389 before our specific Terminal Services probe, causing the port to be labeled as 
"ssl/unknown". Reported by Josh Amishav-Zlatin.
    [NSE] Update to enable smb-os-discovery to augment version detection for certain SMB related services using data that the script discovers. [Tom Sellers]
    Improved version detection and descriptions for Microsoft and Samba SMB services. Also addresses certain issues with OS identification. [Tom Sellers]
    [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA certificate whose public key uses an exponent of 1. It will also cap the score of an RC4-ciphersuite handshake at C and 
output a warning referencing RFC 7465. [Daniel Miller]
    [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua . [Daniel Miller]
    [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for privilege escalation on OS X, avoiding the deprecated AuthorizationExecuteWithPrivileges method previously used. 
[Vincent Dumont]
    [GH#454] The OS X binary package is distributed in a .dmg disk image that now features an instructive background image. [Vincent Dumont]
    [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to provide all dependencies. We no longer use Macports for this purpose. [Vincent Dumont]
    [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of next to the zenmap.exe executable. This avoids 
a warning message when closing Zenmap if it produced any stderr output. [Daniel Miller]
    [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts. Reported by alias1. [Paulino Calderon]
    [NSE][GH#371] Fix mysql-audit by adding needed library requires to the mysql-cis.audit file. The script would fail with "Failed to load rulebase" message. [Paolo Perego]
    [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse. Also added version detection and information extraction to match the new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom 
Sellers]
    [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The Probes will elicit responses from target 
services that allow better finger -printing and information extraction. Also added nmap-payload entry for detecting LDAP on udp. [Tom Sellers]
    [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of authentication sub-types in vnc-info, and all zero-authentication types are recognized and reported. [Daniel Miller]


To generate a diff of this commit:
cvs rdiff -u -r1.130 -r1.131 pkgsrc/net/nmap/Makefile
cvs rdiff -u -r1.71 -r1.72 pkgsrc/net/nmap/distinfo
cvs rdiff -u -r1.1 -r1.2 \
    pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/nmap/Makefile
diff -u pkgsrc/net/nmap/Makefile:1.130 pkgsrc/net/nmap/Makefile:1.131
--- pkgsrc/net/nmap/Makefile:1.130      Wed Aug  3 10:23:17 2016
+++ pkgsrc/net/nmap/Makefile    Fri Oct 14 15:11:16 2016
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.130 2016/08/03 10:23:17 adam Exp $
+# $NetBSD: Makefile,v 1.131 2016/10/14 15:11:16 maya Exp $
 
-DISTNAME=      nmap-7.12
-PKGREVISION=   1
+DISTNAME=      nmap-7.30
 CATEGORIES=    net security
 MASTER_SITES=  http://nmap.org/dist/
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/net/nmap/distinfo
diff -u pkgsrc/net/nmap/distinfo:1.71 pkgsrc/net/nmap/distinfo:1.72
--- pkgsrc/net/nmap/distinfo:1.71       Sat Apr  9 06:38:05 2016
+++ pkgsrc/net/nmap/distinfo    Fri Oct 14 15:11:16 2016
@@ -1,12 +1,12 @@
-$NetBSD: distinfo,v 1.71 2016/04/09 06:38:05 adam Exp $
+$NetBSD: distinfo,v 1.72 2016/10/14 15:11:16 maya Exp $
 
-SHA1 (nmap-7.12.tar.bz2) = 0c25e4089f93adec2ad50e99b92dc8c5bf85c231
-RMD160 (nmap-7.12.tar.bz2) = 8cab24dc5bd69cff06f235b5166a511f5bf2865f
-SHA512 (nmap-7.12.tar.bz2) = 91156499c6f903fb565fa2b0faa74043d078493312f9489071fafc687301017afc16c7eb26c092f1fa142e78c98a436833f56a9f015cb2a17aa6f6220b6a0b98
-Size (nmap-7.12.tar.bz2) = 8960599 bytes
+SHA1 (nmap-7.30.tar.bz2) = cc5f51059df4c14fb8781987705d6064c7836349
+RMD160 (nmap-7.30.tar.bz2) = 4e403a67c0cb5cd197dc2274dba1e89896c3ff44
+SHA512 (nmap-7.30.tar.bz2) = effef6d1d3f333a8c9a628a2acc0d0faec5967ef09a7d831a4d8d287f224167305e54f575e571eebb0f30544675bf27c834fdaf468db00cdb3fcad14e392303c
+Size (nmap-7.30.tar.bz2) = 9003761 bytes
 SHA1 (patch-configure) = 5fc39f084eadd6ea0560cd8e6f52074113566600
 SHA1 (patch-libdnet-stripped_src_arp-bsd.c) = c56c4e70eca2fa04dd8aab38ed2c3f4cac83f5e3
 SHA1 (patch-libnetutil_netutil.cc) = 7bd1059d6cbcf4f6d129730d6c6f6bc3ab54c0a0
 SHA1 (patch-ndiff_setup.py) = 4e4af27cb896fd1bffc2c9089f930d7075daeb22
 SHA1 (patch-nsock_tests_run__tests.sh) = 88a7447f93dd3377e7e24e317c55528a73a17401
-SHA1 (patch-zenmap_test_run__tests.py) = 46b2445eed4255cf838e37123c23121eeaf360b6
+SHA1 (patch-zenmap_test_run__tests.py) = 452b4584f9607586f5a3a43b852369bd9fa78ce7

Index: pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py
diff -u pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py:1.1 pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py:1.2
--- pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py:1.1 Sun Jan 24 13:46:49 2016
+++ pkgsrc/net/nmap/patches/patch-zenmap_test_run__tests.py     Fri Oct 14 15:11:16 2016
@@ -1,6 +1,6 @@
-$NetBSD: patch-zenmap_test_run__tests.py,v 1.1 2016/01/24 13:46:49 richard Exp $
+$NetBSD: patch-zenmap_test_run__tests.py,v 1.2 2016/10/14 15:11:16 maya Exp $
 
---- zenmap/test/run_tests.py.orig      2014-08-23 04:22:09.000000000 +0000
+--- zenmap/test/run_tests.py.orig      2016-06-26 04:39:29.000000000 +0000
 +++ zenmap/test/run_tests.py
 @@ -11,8 +11,9 @@ if __name__ == "__main__":
          sys.exit(0)
@@ -8,8 +8,8 @@ $NetBSD: patch-zenmap_test_run__tests.py
      os.chdir("..")
 +    sys.path.insert(1,"build/lib")
      suite = unittest.defaultTestLoader.discover(
--            start_dir=glob.glob("build/lib.*")[0],
-+            start_dir=glob.glob("build/lib/*")[0],
-             pattern="*.py"
-             )
+-        start_dir=glob.glob("build/lib.*")[0],
++        start_dir=glob.glob("build/lib/*")[0],
+         pattern="*.py"
+         )
      unittest.TextTestRunner().run(suite)