From ${URL} : A flaw in the http-domino-enum-password NSE script for Nmap was discovered [1]. If this script was run with the non-default domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to be written to the client system with the permissions of the user running the nmap client. This was corrected in upstream version 6.40 [2] (svn r31576). This svn revision also updates a few other NSE scripts for extra safety. [1] http://packetstormsecurity.com/files/122719/TWSL2013-025.txt [2] http://nmap.org/changelog.html @maintainer(s): after the bump, in case we need to stabilize the package, please say explicitly if it is ready for the stabilization or not.
I had to mask ~net-analyzer/nmap-6.40 since it depends on >=dev-lang/lua-5.2 (bug #253269 is supposed to deal with the grander issues of nmap's bundled libraries, but has none of the details on liblua). Quite similar to bug #396353, using the bundled liblua.a causes the linker to fail on some systems ("ld: ./../liblua/liblua.a(loadlib.o): undefined reference to symbol 'dlopen@@GLIBC_2.1'") I could remove the dependency and link in the bundled liblua.a and then we could unmask it again, but then we'd still have the QA issue. Please advise.
Would it be possible to break this into two revs maybe? We could use the known bad bundled to get the security bug fixed, and then have an ~arch version that simply depends on the correct liblua? It's been over a year since lua 5.2 was added to the tree as masked, if there hasn't been some movement on that then...sigh, I won't even go there.
We could backport the changes to 6.25, too.
Backporting to 6.25 (if possible) sounds like a reasonable option to me.
The "undefined reference to symbol 'dlopen@@GLIBC_2.1" error is caused by the library order, which is known issue. Fix can be found here: http://seclists.org/nmap-dev/2013/q3/att-216/nmap-6_40-fix-lib-order.patch I've recently applied this fix to the pentoo overlay: http://code.google.com/p/pentoo/source/browse/portage/trunk/net-analyzer/nmap/nmap-6.40-r3.ebuild
Arch teams, please test and mark stable: =net-analyzer/nmap-6.47-r1 Targeted stable KEYWORDS : alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 PPC and PPC64 will of course need to address bug #512546 first.
amd64 stable
x86 stable
Stable for HPPA.
Stable on alpha.
ia64 stable
we can't proceed, since newer nmap versions have dependency on dev-libs/liblinear, which isn't keyworded for ppc* (arm stable)
(In reply to Mikle Kolyada from comment #12) > we can't proceed, since newer nmap versions have dependency on > dev-libs/liblinear, which isn't keyworded for ppc* That's why this bug depends on bug #512546.
ppc64 stable
sparc stable
ppc stable. Maintainer(s), please cleanup. Security, please vote.
GLSA Vote: No
GLSA vote: no. Closing as [noglsa]