Merge 7.70 release branch into trunk

CHANGELOG

@@ -1,19 +1,93 @@
 #Nmap Changelog ($Id$); -*-text-*-
 
-o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on renegotiation,
-  the same issue that was partially fixed for server mode in [GH#773]. Reported
-  on Windows with -e by pkreuzt and vinod272. [Daniel Miller]
+Nmap 7.70 [2018-03-20]
 
-o [NSE] hostmap-crtsh lists subdomains by querying Google's Certificate
-  Transparency logs. [Paulino Calderon]
+o [Windows] Updated the bundled Npcap from 0.93 to 0.99-r2, with many
+  stability fixes and installation improvements, as well as fixes to
+  raw 802.11 frame capture. See https://nmap.org/npcap/changelog
+
+o Integrated all of your service/version detection fingerprints submitted from
+  March 2017 to August 2017 (728 of them). The signature count went up 1.02%
+  to 11,672, including 26 new softmatches.  We now detect 1224 protocols from
+  filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
+  watchguard.  We will try to integrate the remaining submissions in the next
+  release.
+
+o Integrated all of your IPv4 OS fingerprint submissions from September 2016
+  to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
+  to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
+  more.
+
+o Integrated all 33 of your IPv6 OS fingerprint submissions from September
+  2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
+  as well as strengthened groups for Linux and OS X.
+
+o Added the --resolve-all option to resolve and scan all IP addresses of a
+  host.  This essentially replaces the resolveall NSE script. [Daniel Miller]
+
+o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
+  traversal vulnerability) in the way the non-default http-fetch script
+  sanitized URLs. If a user manualy ran this NSE script with against a
+  malicious web server, the server could potentially (depending on NSE
+  arguments used) cause files to be saved outside the intended destination
+  directory. Existing files couldn't be overwritten.  We fixed http-fetch,
+  audited our other scripts to ensure they didn't make this mistake, and we
+  updated the httpspider library API to protect against this by
+  default. [nnposter, Daniel Miller]
+
+o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
+  They are all listed at https://nmap.org/nsedoc/, and the summaries are
+  below:
+
+  + deluge-rpc-brute performs brute-force credential testing against Deluge
+    BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
+
+  + hostmap-crtsh lists subdomains by querying Google's Certificate
+    Transparency logs. [Paulino Calderon]
+
+  + [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
+    reports back the IP address and port of the actual server behind the
+    load-balancer. [Seth Jackson]
+
+  + http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
+    JSONP endpoints can be used to bypass Same-origin Policy restrictions in
+    web browsers. [Vinamra Bhatia]
+
+  + http-trane-info obtains information from Trane Tracer SC controllers and
+    connected HVAC devices. [Pedro Joaquin]
+
+  + [GH#609] nbd-info uses the new nbd.lua library to query Network Block
+    Devices for protocol and file export information. [Mak Kolybabi]
+
+  + rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
+    vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
+    SSH and TLS services. [Daniel Miller]
+
+  + [GH#987] smb-enum-services retrieves the list of services running on a
+    remote Windows machine. Modern Windows systems requires a privileged domain
+    account in order to list the services. [Rewanth Cool]
+
+  + tls-alpn checks TLS servers for Application Layer Protocol Negotiation
+    (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
+    which tls-nextprotoneg was written for. [Daniel Miller]
+
+o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
+  was causing Ncat 7.60 in connect mode to quit with error: libnsock
+  select_loop(): nsock_loop error 10038: An operation was attempted on
+  something that is not a socket.  [nnposter]
+
+o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
+  renegotiation, the same issue that was partially fixed for server mode in
+  [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
+  Miller]
 
 o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
   misbehaving or rate-limiting services. Most significantly,
   brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
   reporing infinite loops and proposing changes.
 
-o [NSE][GH#609] New script nbd-info uses the new nbd.lua library to query
-  Network Block Devices for protocol and file export information. [Mak Kolybabi]
+o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
+  30) [Daniel Miller]
 
 o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
   [Aniket Pandey]
@@ -34,86 +108,65 @@ o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
 o Removed deprecated and undocumented aliases for several long options that
   used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
 
-o When a soft match occurs, any probes that could result in a match with the
-  same service will be sent regardless of rarity, improving the chances of
-  matching unusual services on non-standard ports. [Daniel Miller]
+o Improved service scan's treatment of soft matches in two ways. First
+  of all, any probes that could result in a full match with the soft
+  matched service will now be sent, regardless of rarity.  This
+  improves the chances of matching unusual services on non-standard
+  ports.  Second, probes are now skipped if they don't contain any
+  signatures for the soft matched service.  Perviously the probes
+  would still be run as long as the target port number matched the
+  probe's specification.  Together, these changes should make
+  service/version detection faster and more accurate.  For more
+  details on how it works, see
+  https://nmap.org/book/vscan.html. [Daniel Miller]
 
 o --version-all now turns off the soft match optimization, ensuring that all
-  probes really are sent, even if there aren't any existing match lines for the
-  softmatched service. [Daniel Miller]
-
-o Increased effectiveness of service scan soft matches. Previously, all probes
-  which matched the port being scanned would be sent regardless of whether the
-  service was soft matched; softmatch lines only restricted non-port-matching
-  probes from being sent. Now, a soft match will cause ALL non-service-matching
-  probes to be skipped, even if the port number matches. [Daniel Miller]
-
-o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
-  string format. [Gisle Vanem, nnposter]
+  probes really are sent, even if there aren't any existing match lines for
+  the softmatched service. This is slower, but gives the most comprehensive
+  results and produces better fingerprints for submission. [Daniel Miller]
 
 o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
   Telnet DO/DON'T options offered, covering a wide variety of devices and
   operating systems. [D Roberson]
 
+o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
+  string format. [Gisle Vanem, nnposter]
+
 o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
   indications of login failure. [Daniel Miller]
 
 o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
   destination directories. [Aniket Pandey]
 
-o [NSE] Added two new fingerprints to http-default-accounts
-  (Hikvision DS-XXX Network Camera and NUOO DVR) [Paulino Calderon]
-
-o Add the --resolve-all option to resolve and scan all IP addresses of a host.
-  This essentially replaces the resolveall NSE script. [Daniel Miller]
+o [NSE] Added new fingerprints to http-default-accounts:
+  - Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
+  - [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
 
-o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
-  30) [Daniel Miller]
-
-o Added a new service detection match for WatchGuard Authentication Gateway. 
+o Added a new service detection match for WatchGuard Authentication Gateway.
   [Paulino Calderon]
 
-o [NSE][GH#1074] Added three new fingerprints to http-default-accounts
-  (ActiveMQ, Purestorage and Axis Network Cameras) [Rob Fitzpatrick, Paulino Calderon]
-
-o [NSE] tls-alpn checks TLS servers for Application Layer Protocol Negotiation
-  (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
-  which tls-nextprotoneg was written for. [Daniel Miller]
-
 o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
   (parameter qscan.delay). [nnposter]
 
 o [NSE][GH#1046] Script http-headers now fails properly if the target does not
   return a valid HTTP response. [spacewander]
 
-o [NSE] rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable
-  to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks SSH and TLS
-  services. [Daniel Miller]
-
 o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
   default, in accordance with RFC 7465. [Codarren Velvindron]
 
 o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
   not checking the error code in responses. Implementations which return an
   error are not vulnerable. [Juho Jokelainen]
 
-o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
-  was causing Ncat 7.60 in connect mode to quit with error:
-   libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket.
-  [nnposter]
-
 o [NSE][GH#958] Two new libraries for NSE.
-  - punycode
-  - idna
+  - idna - Support for internationalized domain names in applications (IDNA)
+  - punycode (a transfer encoding syntax used in IDNA)
   [Rewanth Cool]
 
 o [NSE] New fingerprints for http-enum:
   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
   - [GH#767] Many WordPress version detections [Rewanth Cool]
 
-o [NSE] http-trane-info obtains information from Trane Tracer SC controllers
-  and connected HVAC devices. [Pedro Joaquin]
-
 o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
   - Usernames and/or passwords could not be empty
   - Passwords could not contain colons
@@ -124,9 +177,6 @@ o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
 o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
   run. [Lukas Schwaighofer]
 
-o [NSE] deluge-rpc-brute performs brute-force credential testing against Deluge
-  BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
-
 o [GH#977] Improved DNS service version detection coverage and consistency
   by using data from a Project Sonar Internet wide survey. Numerouse false
   positives were removed and reliable softmatches added. Match lines for
@@ -137,36 +187,26 @@ o [GH#977] Changed version probe fallbacks so as to work cross protocol
   (TCP/UDP). This enables consolidating match lines for services where the
   responses on TCP and UDP are similar. [Tom Sellers]
 
-o [NSE][GH#532] Added zlib library for NSE. This was a leftover project from
-  GSOC 2014, and will be very useful. [Claudiu Perta, Daniel Miller]
+o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
+  handle compression. This work started during GSOC 2014, so we're
+  particularly pleased to finally integrate it! [Claudiu Perta, Daniel
+  Miller]
 
 o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
   as the number of tries, not retries, and a value of 0 would result in
   infinite retries. Instead, it is now the number of retries, defaulting to 2
   (3 total tries), with no option for infinite retries.
 
-o [NSE][GH#987] Adds smb-enum-services.nse. It retrieves the list of services
-  running on a remote Windows machine. Modern Windows systems requires a
-  privileged domain account in order to list the services. [Rewanth Cool]
-
 o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
   and returns extra information when Jenkins is detected [Vinamra Bhatia]
 
 o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
   Now we can find MS SQL in odd ports without increasing version intensity.
   [Paulino Calderon]
 
-o [NSE][GH#892] New script http-bigip-cookie decodes unencrypted F5 BIG-IP
-  cookies and reports back the IP address and port of the actual server behind
-  the load-balancer. [Seth Jackson]
-
-o [NSE] New script http-jsonp-detection Attempts to discover JSONP endpoints in
-  web servers. JSONP endpoints can be used to bypass Same-origin Policy
-  restrictions in web browsers. [Vinamra Bhatia]
-
 o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
   were always reporting the version number of the included source, even when a
-  different version was linked. [Pavel Zhukov]
+  different version was actually linked. [Pavel Zhukov]
 
 o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
   unpack an unsigned big-endian integer value up to 8 bytes wide from capture

docs/legal-notices.xml

@@ -248,9 +248,7 @@ OpenSSL support and linked with OpenSSL.  When compiled without
 OpenSSL support, the Nmap Project believes that Nmap is not subject to
 U.S. <ulink
 url="http://www.access.gpo.gov/bis/ear/ear_data.html">Export
-Administration Regulations (EAR)</ulink> export control.  It is exempt
-in accordance with <ulink url="n per §734.2(b)(3)(i) and
-§734.7(a)(4).  As such,
+Administration Regulations (EAR)</ulink> export control. As such,
 there is no applicable ECCN (export control classification number) and
 exportation does not require any special license, permit, or other
 governmental authorization.</para>