Nmap Development mailing list archives
Re: Nmap new version past 7.70 due to CVE-2018-15173
From: Fyodor <fyodor () nmap org>
Date: Wed, 29 Aug 2018 16:59:48 -0700
On Mon, Aug 27, 2018 at 5:55 PM Shashi Guruprasad <sguruprasad () fortinet com> wrote:
Hi Fyodor, or Daniel Miller, Would it be possible to release a new version of nmap for fix CVE-2018-15173? Qualys is reporting this vulnerability in our system despite installing 7.70-1. I can build from source, but it will mean that I will need to do this all the time in the futureā¦
Hi Shashi. Thanks for your mail. Even though someone applied for a CVE number for this, it's not actually a very serious issue. Apparently some systems are so low in resources that they can't handle our previous depth limit in matching service banners to our service detection signatures. On one of those rare systems (we haven't been able to reproduce it on any of our modern systems), a service you scan on a remote host could accidentally or intentionally cause the Nmap scan to crash. We have now reduced the depth limit so that pretty much any system should be able to handle these edge cases. While this doesn't seem like much of a risk in itself, there is the issue you noted that tools may now flag Nmap 7.70 and complain because of the CVE number. So maybe doing a new Nmap release would be the easiest way to solve the problem. We'll be keeping that option in mind, although we do have some more features we'd like to add first if possible. Cheers, Fyodor
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap new version past 7.70 due to CVE-2018-15173 Shashi Guruprasad (Aug 27)
- Re: Nmap new version past 7.70 due to CVE-2018-15173 Fyodor (Aug 29)