Skip to content

v2.5.0 — Security patch release

Latest
Latest

Choose a tag to compare

View all tags
@kent-tokyo kent-tokyo released this 13 Jun 23:23
· 16 commits to master since this release
v2.5.0
6b4d988

Security (CRITICAL/HIGH — 9 fixes)

  • SSRF — VMC certificate fetch (bimi), TCP port scan (ports), raw UDP socket (dns_amplification), MX server connect (email_advanced), SSH fingerprint TCP connect (ssh_fingerprint): all lacked validate_url_safety guard
  • SSRF via redirect — 8 modules followed HTTP redirects without per-hop SSRF validation: identity_security (×2), url_intel, cloud_exposure, cloud_security, subdomain_takeover_ext, web_intelligence (×3)
  • SSRF via raw socket — dns_amplification accepted private IPs as nameserver; email_advanced resolved MX hostname without filtering private IPs before TCP connect

Bug fixes (15+)

  • dnsbl — IPv6 DNSBL queries always failed: trailing dot before zone caused double-dot (e.g. ...ip6.arpa.zen.spamhaus.org)
  • delegation — SOA serial check queried system resolver instead of each NS; lame delegation always appeared healthy
  • tlsvuln — TLS 1.1 probe returned true for any TLS 1.2/1.3 server; TLS version probes now run in parallel
  • cipher_suitestest_tls_connection tried to parse hostname as SocketAddr; now resolves via DNS first
  • cryptovalidate_timestamp, verify_rekor_entry, verify_zk_proof, verify_notarization returned valid=true from stubs; now return explicit unimplemented error
  • brand_impersonation — Levenshtein distance panicked on IDN/multibyte domains; fixed unreachable tld_variant branch
  • spf_analysisall_qualifier field was always None; SPF all mechanism now parsed and returned correctly
  • trust_scoring — Hardcoded year comparisons (contains("2024")) broke in 2026; now derives age from current timestamp
  • osintassess_dns_takeover_risk called check_rdns on NS hostnames instead of check_dns; detect_infrastructure_overlap ASN lookup used wrong domain's IP
  • threat_intelligencephishing_detection_aggregate hardcoded month strings for recency; now uses age_days < 180
  • techfingerprintextract_version mixed byte indices from lowercased vs original string; panics on ß/İ
  • health — 4 independent checks were sequential; now parallel via tokio::join!
  • propagation — Early errors from private-IP resolver validation excluded from results
  • ipv6tls_reachable set true based only on TCP; DNS queried twice

Performance

  • trust_scoring, threat_intelligence, compliance, network_reputation, health: sequential awaits → tokio::join!

Refactoring

  • helpers: add safe_redirect_policy() and safe_http_client() shared helpers
  • tlsvuln: reuse SkipVerification from tls.rs (eliminated 40-line duplicate)
  • arc: remove always-empty aars field

Full Changelog: v2.4.0...v2.5.0

Full Changelog: v2.4.0...v2.5.0

Full Changelog: v2.4.0...v2.5.0

Full Changelog: v2.4.0...v2.5.0

Assets 6
Loading