diff --git a/security/nuclei/Makefile b/security/nuclei/Makefile index 23c963eac5a8..741b63e55fb5 100644 --- a/security/nuclei/Makefile +++ b/security/nuclei/Makefile @@ -1,20 +1,19 @@ PORTNAME= nuclei DISTVERSIONPREFIX= v -DISTVERSION= 3.10.0 -PORTREVISION= 1 +DISTVERSION= 3.11.0 CATEGORIES= security MAINTAINER= dutra@FreeBSD.org COMMENT= Fast vulnerability scanner WWW= https://github.com/projectdiscovery/nuclei LICENSE= MIT USES= go:1.25+,modules GO_MODULE= github.com/projectdiscovery/nuclei/v3 GO_TARGET= ./cmd/${PORTNAME} PLIST_FILES= bin/${PORTNAME} .include diff --git a/security/nuclei/distinfo b/security/nuclei/distinfo index 1e76a0013ecc..0b0c05484d00 100644 --- a/security/nuclei/distinfo +++ b/security/nuclei/distinfo @@ -1,5 +1,5 @@ -TIMESTAMP = 1783234156 -SHA256 (go/security_nuclei/nuclei-v3.10.0/v3.10.0.mod) = 8df7713501b1444f2dfbfa29c072d35fc155c31ce9f2549d07bc85c931e784f9 -SIZE (go/security_nuclei/nuclei-v3.10.0/v3.10.0.mod) = 21028 -SHA256 (go/security_nuclei/nuclei-v3.10.0/v3.10.0.zip) = aab63641cfb2b99edb0517e2d932d0c8c9ee4dcbc88ae368b4682b60bfe44e10 -SIZE (go/security_nuclei/nuclei-v3.10.0/v3.10.0.zip) = 12884762 +TIMESTAMP = 1783629328 +SHA256 (go/security_nuclei/nuclei-v3.11.0/v3.11.0.mod) = 10e140ea9a498fe7409fb32addeacb10b1cd8791c3fc766f14fa13a2d8e2983d +SIZE (go/security_nuclei/nuclei-v3.11.0/v3.11.0.mod) = 21028 +SHA256 (go/security_nuclei/nuclei-v3.11.0/v3.11.0.zip) = 81d3edfa50bdb8837ce5cf414982be4fd57714170dc7189e996f9226fbe0f1bd +SIZE (go/security_nuclei/nuclei-v3.11.0/v3.11.0.zip) = 12891757 diff --git a/security/nuclei/pkg-message b/security/nuclei/pkg-message new file mode 100644 index 000000000000..7ced7e3c90c2 --- /dev/null +++ b/security/nuclei/pkg-message @@ -0,0 +1,16 @@ +Breaking Change: Signed templates required for JavaScript protocol + +Starting with v3.11.0, custom templates that use the javascript: +protocol must be digitally signed before Nuclei will load or execute +them. Unsigned JavaScript templates are now skipped during template +loading and when referenced from workflows. + +Why this change + +This release continues the security hardening started in v3.10.0 +(sandbox enforcement, network policy checks, stricter code-template +handling, YAML include protections, and related fixes in #7469). The +JavaScript protocol exposes Go-backed modules through Nuclei's JS +runtime, which significantly increases attack surface compared with +request-only templates. Requiring signatures brings JavaScript templates +in line with the existing protections for code-protocol templates.