Nmap Development mailing list archives
RE: [NSE] Shodan exploits database library (and demo script)
From: "Rob Nicholls" <robert () robnicholls co uk>
Date: Mon, 13 Dec 2010 09:46:21 -0000
I'm afraid I agree with Fyodor, version numbers have a lot of complexity, mostly because big software vendors choose to concurrently support multiple versions. Apache is one example (2.x covers two supported streams, plus there's an alpha that will eventually become the 2.4 stream), Oracle would be another (recently they seem to have two releases with the same major version), as would PHP (again, typically running two streams with the same major version. If we start checking the major version (so we don't compare Apache 1.3 against 2.x) and sub-version (to avoid saying PHP 5.2.14 is newer than 5.3.1, or mixing Oracle 11G with 11GR2) followed by checking this special number, then you're starting to lose the benefit of calculating this special number. How does it cope if someone uses alpha characters, such as the OpenSSL versions? Would a-z be treated as 1-26? If so, what about alpha and beta versions of other software that are denoted by A and B at the end, perhaps followed by an RC release, then lose everything to become stable (e.g. PHP5.3.4RC2 is older than PHP 5.3.4). BIND also adds to the mix, with its -P1 and -ESV-R3 style sub-versions.: http://www.isc.org/software/version-numbering In general, this could be a good way to compare numbers (as I'm sure the majority of software has only one latest version) if they use a simple convention, but I'm concerned that we'll end up with some kind of long list of exceptions to the rule to cover the more popular products. http://en.wikipedia.org/wiki/Software_versioning Rob -----Original Message----- From: nmap-dev-bounces () insecure org [mailto:nmap-dev-bounces () insecure org] On Behalf Of Gutek Sent: 12 December 2010 21:47 To: nmap-dev () insecure org Subject: Re: [NSE] Shodan exploits database library (and demo script) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 12/12/2010 20:37, Fyodor a écrit :
you should divide by something like a million to the i power.
after meeting some x.y.154 this afternoon, this is exactly what it does by now :) For the moment I'll keep an algorithm which allows me to deal with a unique number representing the versions, as it seems easier to me to manipulate versions and ranges with as less comparisons loops as possible...as long as it's proved to be reliable. If not, I'll change for your second suggestion. Anyway, in the end it could use both (a unique number and a per-digit approach): alone, a math versions comparison is not always pertinent. For example, giving an exploit working on "Apache <= 2.x.y" as an output when the script deals with a target showing "Apache 1.3.x" doesn't make sense. "This is not mission difficult, Mr. Hunt, it's mission impossible" :) Thanks ! A.G. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk0FQukACgkQ3aDTTO0ha7gbUACfbI3uETIFOH168OXZQk/xL65K bM8An00WBfE6/XR0roRKIMXWVlabvAWj =gnqE -----END PGP SIGNATURE----- _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/ _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Shodan exploits database library (and demo script) Gutek (Nov 12)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 29)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 30)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 12)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Dec 12)
- RE: [NSE] Shodan exploits database library (and demo script) Rob Nicholls (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Fyodor (Dec 13)
- Re: [NSE] Shodan exploits database library (and demo script) Gutek (Nov 22)
- Re: [NSE] Shodan exploits database library (and demo script) David Fifield (Nov 22)