ref: http://seclists.org/nmap-announce/2013/1 "From: Fyodor <fyodor () nmap org> Date: Mon, 19 Aug 2013 14:50:05 -0700 Hi Folks. It has been a while since the last stable Nmap release, but I'm pleased to release Nmap 6.40 and I think you'll consider it worth the wait!"
looks like there is no security fix, usualy we don't update such package which could bring new bugs, let see that which maintainer
Keywords: (none) => TriagedComponent: New RPM package request => RPM PackagesAssignee: bugsquad => guillomovitchSummary: Nmap 6.40 Released => update Nmap to 6.40 releaseSource RPM: (none) => nmapSeverity: normal => enhancement
I think this may be considered a security fix: " o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If you ran the (fortunately non-default) http-domino-enum-passwords script with the (fortunately also non-default) domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to to be written to the client system. Thanks to Trustwave researcher Piotr Duszynski for discovering and reporting the problem. We've fixed that script, and also updated several other scripts to use a new stdnse.filename_escape function for extra safety. This breaks our record of never having a vulnerability in the 16 years that Nmap has existed, but that's still a fairly good run! [David, Fyodor] " (source: http://seclists.org/nmap-announce/2013/1 )
indeed and a patch is available https://bugzilla.redhat.com/show_bug.cgi?id=995634 in case off
QA Contact: (none) => securitySeverity: enhancement => normal
Component: RPM Packages => SecuritySummary: update Nmap to 6.40 release => nmap new security issue fixed in 6.40 (CVE-2013-4885)
Fedora has issued an advisory for this on August 15: https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114768.html There is also an upstream advisory, including PoC details: http://packetstormsecurity.com/files/122719/TWSL2013-025.txt
URL: (none) => http://lwn.net/Vulnerabilities/565087/CC: (none) => luigiwalser
Mageia 3 is not susceptible to the security bug. It just returns | http-domino-enum-passwords: |_ ERROR: Failed to process results so testing of an update will be limited to ensuring nmap works.
CC: (none) => davidwhodgins
I'm not convinced of the interest of an update, if there is no vulnerability... Anyway, I just submitted nmap-6.25-3.1.mga3 with fedora patch applied in updates_testing.
Maybe the PoC doesn't work or wasn't used correctly? Is the Mageia 2 nmap package not vulnerable to this?
Thanks Guillaume, BTW! :o) Packages currently uploaded: nmap-6.25-3.1.mga3 nmap-frontend-6.25-3.1.mga3 from nmap-6.25-3.1.mga3.src.rpm
Getting the PoC to work isn't just a matter of running a command, but also getting the server it's run against to deliver a certain response. I'm not exactly sure how to get it to do that. This is a low-severity issue, and re-diffing the patch for Mageia 2 appears to be non-trivial. Let's update Mageia 3. Advisory: ======================== Updated nmap packages fix security vulnerability: It is possible to write arbitrary files to a remote system, through a specially crafted server response for NMAP http-domino-enum-passwords.nse script from nmap before 6.40 (CVE-2013-4885). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4885 http://packetstormsecurity.com/files/122719/TWSL2013-025.txt https://lists.fedoraproject.org/pipermail/package-announce/2013-August/114768.html ======================== Updated packages in core/updates_testing: ======================== nmap-6.25-3.1.mga3 nmap-frontend-6.25-3.1.mga3 from nmap-6.25-3.1.mga3.src.rpm
CC: (none) => guillomovitchAssignee: guillomovitch => qa-bugs
Advisory 11090.adv uploaded to svn.
testing on x86_64 Mageia 3: nmap-6.25-3.1.mga3.x86_64.rpm nmap-frontend-6.25-3.1.mga3.x86_64.rpm
Tested on x86_64 Mageia 3: nmap-6.25-3.1.mga3.x86_64.rpm nmap-frontend-6.25-3.1.mga3.x86_64.rpm This patched Nmap 6.25 seems to be working fine. Unable to test the fix for the specific vulnerability discovered by Piotr Duszynski because unable to recreate the following: "It is possible to write arbitrary files to a remote system, through a specially crafted server response for NMAP http-domino-enum-passwords.nse script (from the official Nmap repository)." [source: http://packetstormsecurity.com/files/122719/TWSL2013-025.txt ] "Remediation Steps: The vendor has released an official patch for this vulnerability. It is recommended to upgrade to Nmap 6.40." [source: http://packetstormsecurity.com/files/122719/TWSL2013-025.txt ] Alternatively, one may download Nmap 6.40 rpms from insecure.org.
Thanks Paul, are you able to test i586 also?
Whiteboard: (none) => mga3-64-ok
Testing complete mga3 32 # nmap -O 192.168.1.* nmap-frontends tested with zenmap to perform an 'Intense scan'. Validating. Advisory uploaded in comment 10. Could sysadmin please push from 3 core/updates_testing to updates Thanks!
Keywords: (none) => validated_updateWhiteboard: mga3-64-ok => mga3-64-ok mga3-32-ok has_procedureCC: (none) => sysadmin-bugs
Update pushed: http://advisories.mageia.org/MGASA-2013-0305.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED