In progress:

o Review latest revision of Marek's ncat_proxy.patch - DONE
  http://seclists.org/nmap-dev/2011/q2/573
  o Commit approval pending

o Ncat should close its socket and refuse further connections after the first
  one, if invoked without --keep-open. That's what traditional netcat does
  too. - DONE
  http://seclists.org/nmap-dev/2011/q2/944
  o Add TEST in ncat-test.pl

o Pending uncompleted SSL handshakes when in --exec* listening mode make
  Ncat consume 100% cpu(core/thread).
  Possible solutions:
    o Timeout ssl handshakes.
    o Delay adding the exec output pipes to fselect/WaitForMultipleObjects 
      until the ssl handshake has been completed.
  http://seclists.org/nmap-dev/2011/q2/988

o Ncat chat (at least in ssl mode) no longer gives the banner greeting
  when I connect.  This worked in r23918, but not in r24185, which is
  the one running on chat.nmap.org as of 6/20/11.  Verify by running
  "ncat --ssl -v chat.nmap.org"

o NMAP reports different service results every so often with the same port.
  http://seclists.org/nmap-dev/2011/q2/815

o Fix ncat.xml(the input for the man page) examples section.

o Closing Zenmap without stopping the scan first will leave nmap running in 
  the process list on Windows.


Pending:
o Nmap should defer address parsing in arguments until it has read
  through all the args.  Otherwise you get an error if you use like -S
  with an IPv6 address before you put -6 in the command line.  You
  get a similar problem (on David's IPv6 branch) if you do "-A -6"
  (but "-6 -A works properly).

Pending (low priority):
o libpcre/pcre.h - is cleared upon make distclean thus leaving the SVN
  working directory dirty
  http://seclists.org/nmap-dev/2011/q2/708

o E-mail nmap-dev with QtCreator usage steps for Nmap

o E-mail nmap-dev with GProfiles /ncrack
  o Create new default username list:
  http://seclists.org/nmap-dev/2010/q1/798
  o Could be a SoC Ncrack task, though should prove useful for Nmap
    too
  o We probably want to support several lists.  Like an admin/default
    list like "root", "admin", "administrator", "web", "user", "test",
    and also a general list which we obtain from spidering from
    emails, etc.

Potential:

o Consider offering a way to link Winpcap DLLs so that they start the
  service as needed rather than requiring explicitly installing
  Winpcap and having it start upon system boot.  CACE has offered such
  a thing for many years as WinPcap Pro
  (http://www.cacetech.com/products/winpcap_pro.html).  If we change
  WinPcap in this way, we'd presumably want to also change the symbol
  names as is done in WinPcap Pro.  And it would mean that we have to
  build our Winpcap binaries ourselves (including 64-bit).  We might
  even have to sign our drivers for 64-bit Windows.

o We should offer partial results when a host
  timeouts. I (Fyodor) have been against this in the past, but maybe
  the value is sufficient to be worth the maintenance headaches.  Many
  users have asked for this.  If we do implement this, we may want to
  only print results for the COMPLETED phases (e.g. host discovery,
  port scanning, version detection, traceroute, NSE, etc.)  Trying to
  print partial results of a port scan or NSE or the like might be a
  pain.  And if we print some results for a host which timeouts, we
  should give a very clear warning that the results for that host are
  incomplete. As an example, here is someone who hacked Nmap source
  code to achieve this: http://seclists.org/pen-test/2010/Mar/108.
  o Another benefit would be that it would allow us to clean
    up/regularize the host output code. Right now there are I think
    three places where a host's final output can be printed. If,
    instead, that code just looked at what information was available and
    printed that out only, we could potentially isolate it in just one
    place.
  o This also might let us provide a feature for skipping the rest of
    an Nmap phase which is going too slowly (I think that has its own
    Nmap TODO item).

Done:

o --max-conns is broken in latest svn -> fixed in r24130, other two
  bugs discovered:
  o --max-conns 0 kills ncat with a glibc assertion error on calloc with
  zero as nmemb(??) at:
    init_fdlist(&broadcast_fdlist, o.conn_limit);
  o When killing the first initiated connection on --max-conns > 1 Ncat:
    Ncat: Program bug: fd (5) not on list. QUITTING.
  [DONE]The previous two bugs were introduced in r24130, they are now fixed
  in r24193.

o Ncat hangs on ssl -> done, some refactoring left to do
  http://seclists.org/nmap-dev/2011/q2/842

o Investigate and document how easy it is to drop Ncat.exe by itself
  on other systems and have it work.  We should also look into the
  dependencies of Nmap and Zenmap.  It may be instructive to look at
  "Portable Firefox"
  (http://portableapps.com/apps/internet/firefox_portable) which is
  built using open source technology from portableapps.com, or look at
  "The Network Toolkit" by Cace
  (http://www.cacetech.com/products/network_toolkit.html).  For Nmap
  and Nping, we may want to improve our Winpcap to load as a DLL
  without requiring installation.  There is a separate TODO item for that.

o Fix build_icmp_raw and build_igmp_raw filling the packet data payload
  with zeroes instead of the supplied random data, when nmap is invoked
  with --data-length.

o Zenmap should wait for the return exit code of the nmap scanning subprocess
  upon killing it(canceled scan), otherwise the subprocesses will enter a 
  defunct(zombie) state.