diff --git a/CHANGELOG b/CHANGELOG
index 653e8a092..bd35ed827 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -5,6 +5,23 @@ o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
   Also added a couple unregistered OUI's (for QEMU and Bochs)
   suggested by Robert Millan (rmh(a)aybabtu.com).
 
+o Fixed a bug which could cause false "open" ports when doing a UDP
+  scan of localhost. This usually only happened when you scan tens of
+  thousands of ports (e.g. -p- option).
+
+o Fixed a bug in service detection which could lead to a crash when
+  "--version-intensity 0" was used with a UDP scan.  Thanks to Makoto
+  Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
+  Hoyte for producing a patch.
+
+o Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
+  These were sent in by Peter O'Gorman
+  (nmap-dev(a)mlists.thewrittenword.com).
+
+o Changed mass_dns system to print a warning if it can't find any
+  available DNS servers, but not quit like it used to.  Thanks to Doug
+  Hoyte for the patch.
+
 Nmap 4.04BETA1
 
 o Integrated all of your submissions (about a thousand) from the first
diff --git a/docs/nmap.dtd b/docs/nmap.dtd
index 7d14e0852..42b4e51f4 100644
--- a/docs/nmap.dtd
+++ b/docs/nmap.dtd
@@ -78,7 +78,7 @@
 			start		%attr_numeric;	#IMPLIED
 			startstr	CDATA	        #IMPLIED
 			version		CDATA		#REQUIRED
-			xmloutputversion (1.02)		#REQUIRED
+			xmloutputversion (1.01)		#REQUIRED
 >
 
 <!-- this element is written in output.c:doscaninfo() -->
diff --git a/libdnet-stripped/NMAP_MODIFICATIONS b/libdnet-stripped/NMAP_MODIFICATIONS
index 5fab577cb..6809d6399 100644
--- a/libdnet-stripped/NMAP_MODIFICATIONS
+++ b/libdnet-stripped/NMAP_MODIFICATIONS
@@ -185,3 +185,115 @@ o Consider Windows interfaces to be down if they are disconnected, unreachable,
                 entry->intf_flags |= INTF_FLAG_UP;
         if (ifrow->dwType == MIB_IF_TYPE_LOOPBACK)
                 entry->intf_flags |= INTF_FLAG_LOOPBACK;
+
+o Made some AIX/HP-UX portability changes sent in by Peter O'Gorman
+(nmap-dev@mlists.thewrittenword.com):
+
+
+Index: include/dnet/ip6.h
+===================================================================
+--- include/dnet/ip6.h  (revision 3309)
++++ include/dnet/ip6.h  (working copy)
+@@ -25,7 +25,9 @@
+ } ip6_addr_t;
+
+ #ifndef __GNUC__
++#ifndef __attribute__
+ # define __attribute__(x)
++#endif
+ # pragma pack(1)
+ #endif
+
+Index: include/dnet/ip.h
+===================================================================
+--- include/dnet/ip.h   (revision 3309)
++++ include/dnet/ip.h   (working copy)
+@@ -25,7 +25,9 @@
+ typedef uint32_t       ip_addr_t;
+
+ #ifndef __GNUC__
++#ifndef __attribute__
+ # define __attribute__(x)
++#endif
+ # pragma pack(1)
+ #endif
+
+Index: include/dnet/arp.h
+===================================================================
+--- include/dnet/arp.h  (revision 3309)
++++ include/dnet/arp.h  (working copy)
+@@ -16,7 +16,9 @@
+ #define ARP_ETHIP_LEN  20      /* base ARP message length */
+
+ #ifndef __GNUC__
++#ifndef __attribute__
+ # define __attribute__(x)
++#endif
+ # pragma pack(1)
+ #endif
+
+Index: include/dnet/tcp.h
+===================================================================
+--- include/dnet/tcp.h  (revision 3309)
++++ include/dnet/tcp.h  (working copy)
+@@ -17,7 +17,9 @@
+ #define TCP_HDR_LEN_MAX        (TCP_HDR_LEN + TCP_OPT_LEN_MAX)
+
+ #ifndef __GNUC__
++#ifndef __attribute__
+ # define __attribute__(x)
++#endif
+ # pragma pack(1)
+ #endif
+
+Index: include/dnet/icmp.h
+===================================================================
+--- include/dnet/icmp.h (revision 3309)
++++ include/dnet/icmp.h (working copy)
+@@ -16,7 +16,9 @@
+ #define ICMP_LEN_MIN   8       /* minimum ICMP message size, with header */
+
+ #ifndef __GNUC__
++#ifndef __attribute__
+ # define __attribute__(x)
++#endif
+ # pragma pack(1)
+ #endif
+
+Index: src/arp-ioctl.c
+===================================================================
+--- src/arp-ioctl.c     (revision 3309)
++++ src/arp-ioctl.c     (working copy)
+@@ -383,7 +383,7 @@
+        }
+        return (ret);
+ }
+-#elif defined(HAVE_NET_RADIX_H)
++#elif defined(HAVE_NET_RADIX_H) && !defined(_AIX)
+ /* XXX - Tru64, others? */
+ #include <netinet/if_ether.h>
+ #include <nlist.h>
+Index: src/intf.c
+===================================================================
+--- src/intf.c  (revision 3309)
++++ src/intf.c  (working copy)
+@@ -284,7 +284,9 @@
+        /* Set interface MTU. */
+        if (entry->intf_mtu != 0) {
+                ifr.ifr_mtu = entry->intf_mtu;
++#ifdef SIOCSIFMTU
+                if (ioctl(intf->fd, SIOCSIFMTU, &ifr) < 0)
++#endif
+                        return (-1);
+        }
+        /* Set interface address. */
+@@ -396,7 +398,9 @@
+        _intf_set_type(entry);
+
+        /* Get interface MTU. */
++#ifdef SIOCGIFMTU
+        if (ioctl(intf->fd, SIOCGIFMTU, &ifr) < 0)
++#endif
+                return (-1);
+        entry->intf_mtu = ifr.ifr_mtu;
+
diff --git a/libdnet-stripped/include/dnet/arp.h b/libdnet-stripped/include/dnet/arp.h
index 5e65e3950..06d4f24e6 100644
--- a/libdnet-stripped/include/dnet/arp.h
+++ b/libdnet-stripped/include/dnet/arp.h
@@ -16,7 +16,9 @@
 #define ARP_ETHIP_LEN	20	/* base ARP message length */
 
 #ifndef __GNUC__
+#ifndef __attribute__
 # define __attribute__(x)
+#endif
 # pragma pack(1)
 #endif
 
diff --git a/libdnet-stripped/include/dnet/icmp.h b/libdnet-stripped/include/dnet/icmp.h
index e1c642ded..f0a4d2c2a 100644
--- a/libdnet-stripped/include/dnet/icmp.h
+++ b/libdnet-stripped/include/dnet/icmp.h
@@ -16,7 +16,9 @@
 #define ICMP_LEN_MIN	8	/* minimum ICMP message size, with header */
 
 #ifndef __GNUC__
+#ifndef __attribute__
 # define __attribute__(x)
+#endif
 # pragma pack(1)
 #endif
 
diff --git a/libdnet-stripped/include/dnet/ip.h b/libdnet-stripped/include/dnet/ip.h
index f8ff7861f..de75cb1cc 100644
--- a/libdnet-stripped/include/dnet/ip.h
+++ b/libdnet-stripped/include/dnet/ip.h
@@ -25,7 +25,9 @@
 typedef uint32_t	ip_addr_t;
 
 #ifndef __GNUC__
+#ifndef __attribute__
 # define __attribute__(x)
+#endif
 # pragma pack(1)
 #endif
 
diff --git a/libdnet-stripped/include/dnet/ip6.h b/libdnet-stripped/include/dnet/ip6.h
index 57664ede9..bb46f9b55 100644
--- a/libdnet-stripped/include/dnet/ip6.h
+++ b/libdnet-stripped/include/dnet/ip6.h
@@ -25,7 +25,9 @@ typedef struct ip6_addr {
 } ip6_addr_t;
 
 #ifndef __GNUC__
+#ifndef __attribute__
 # define __attribute__(x)
+#endif
 # pragma pack(1)
 #endif
 
diff --git a/libdnet-stripped/include/dnet/tcp.h b/libdnet-stripped/include/dnet/tcp.h
index 1cd2e3dd3..2021f4c12 100644
--- a/libdnet-stripped/include/dnet/tcp.h
+++ b/libdnet-stripped/include/dnet/tcp.h
@@ -17,7 +17,9 @@
 #define TCP_HDR_LEN_MAX	(TCP_HDR_LEN + TCP_OPT_LEN_MAX)
 
 #ifndef __GNUC__
+#ifndef __attribute__
 # define __attribute__(x)
+#endif
 # pragma pack(1)
 #endif
 
diff --git a/libdnet-stripped/src/arp-ioctl.c b/libdnet-stripped/src/arp-ioctl.c
index a2431245b..fe486d1fd 100644
--- a/libdnet-stripped/src/arp-ioctl.c
+++ b/libdnet-stripped/src/arp-ioctl.c
@@ -383,7 +383,7 @@ arp_loop(arp_t *r, arp_handler callback, void *arg)
 	}
 	return (ret);
 }
-#elif defined(HAVE_NET_RADIX_H)
+#elif defined(HAVE_NET_RADIX_H) && !defined(_AIX)
 /* XXX - Tru64, others? */
 #include <netinet/if_ether.h>
 #include <nlist.h>
diff --git a/libdnet-stripped/src/intf.c b/libdnet-stripped/src/intf.c
index 88f64c544..2ef787bc9 100644
--- a/libdnet-stripped/src/intf.c
+++ b/libdnet-stripped/src/intf.c
@@ -284,7 +284,9 @@ intf_set(intf_t *intf, const struct intf_entry *entry)
 	/* Set interface MTU. */
 	if (entry->intf_mtu != 0) {
 		ifr.ifr_mtu = entry->intf_mtu;
+#ifdef SIOCSIFMTU
 		if (ioctl(intf->fd, SIOCSIFMTU, &ifr) < 0)
+#endif
 			return (-1);
 	}
 	/* Set interface address. */
@@ -396,7 +398,9 @@ _intf_get_noalias(intf_t *intf, struct intf_entry *entry)
 	_intf_set_type(entry);
 	
 	/* Get interface MTU. */
+#ifdef SIOCGIFMTU
 	if (ioctl(intf->fd, SIOCGIFMTU, &ifr) < 0)
+#endif
 		return (-1);
 	entry->intf_mtu = ifr.ifr_mtu;
 
diff --git a/nmap_dns.cc b/nmap_dns.cc
index 66866df05..1030c5f1a 100644
--- a/nmap_dns.cc
+++ b/nmap_dns.cc
@@ -285,6 +285,7 @@ static struct timeval starttv;
 static int read_timeout_index;
 static u16 id_counter;
 
+static int firstrun=1;
 static ScanProgressMeter *SPM;
 
 
@@ -847,8 +848,10 @@ void win32_read_registry(char *controlset) {
 
   snprintf(keybasebuf, sizeof(keybasebuf), "SYSTEM\\%s\\Services\\Tcpip\\Parameters", controlset);
   if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, keybasebuf,
-                    0, KEY_READ, &hKey) != ERROR_SUCCESS)
-    fatal("Error opening registry to read DNS servers. Try using --system-dns or specify valid servers with --dns-servers");
+                    0, KEY_READ, &hKey) != ERROR_SUCCESS) {
+    if (firstrun) error("mass_dns: warning: Error opening registry to read DNS servers. Try using --system-dns or specify valid servers with --dns-servers");
+    return;
+  }
 
   sz = sizeof(buf);
   if (RegQueryValueEx(hKey, "NameServer", NULL, NULL, (LPBYTE) buf, (LPDWORD) &sz) == ERROR_SUCCESS)
@@ -907,7 +910,8 @@ static void parse_resolvdotconf() {
 
   fp = fopen("/etc/resolv.conf", "r");
   if (fp == NULL) {
-    fatal("Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers");
+    if (firstrun) error("mass_dns: warning: Unable to open /etc/resolv.conf. Try using --system-dns or specify valid servers with --dns-servers");
+    return;
   }
 
   while (fgets(buf, sizeof(buf), fp)) {
@@ -1064,8 +1068,7 @@ static void nmap_mass_rdns_core(Target **targets, int num_targets) {
     if (o.dns_servers) add_dns_server(o.dns_servers);
     else parse_resolvdotconf();
 
-    if (servs.size() == 0)
-      fatal("Unable to determine any DNS servers. Try using --system-dns or specify valid servers with --dns_servers");
+    if (servs.size() == 0 && firstrun) error("mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns_servers");
   }
 
 
@@ -1099,7 +1102,7 @@ static void nmap_mass_rdns_core(Target **targets, int num_targets) {
     total_reqs++;
   }
 
-  if (total_reqs == 0) return;
+  if (total_reqs == 0 || servs.size() == 0) return;
 
   // And finally, do it!
 
@@ -1212,4 +1215,6 @@ void nmap_mass_rdns(Target **targets, int num_targets) {
       log_write(LOG_STDOUT, "DNS resolution of %d IPs took %.2fs.\n", stat_actual, TIMEVAL_MSEC_SUBTRACT(now, starttv) / 1000.0);
     }
   }
+
+  firstrun=0;
 }
diff --git a/nmapfe/nmapfe_sig.c b/nmapfe/nmapfe_sig.c
index 10c2ccd11..5c87e9875 100644
--- a/nmapfe/nmapfe_sig.c
+++ b/nmapfe/nmapfe_sig.c
@@ -230,9 +230,10 @@ saveLog (char *filename)
     if (filename && *filename) {
         FILE *file;
         if ((file = fopen(filename, "w"))) {
+	  gchar *text;
             gtk_text_buffer_get_start_iter(opt.buffer, &start);
             gtk_text_buffer_get_end_iter(opt.buffer, &end);
-            gchar *text = gtk_text_buffer_get_text(opt.buffer,
+            text = gtk_text_buffer_get_text(opt.buffer,
                     &start, &end, FALSE);
 
             fputs(text, file);
@@ -267,7 +268,7 @@ void openLog(char *filename)
 void okButton_clicked_cb(GtkWidget *window, GtkButton *button)
 {
 const char *selected = gtk_file_selection_get_filename(GTK_FILE_SELECTION(window));
-void (*action)() = g_object_get_data(G_OBJECT(window), "NmapFE_action");
+void (*action)() = (void (*)())g_object_get_data(G_OBJECT(window), "NmapFE_action");
 GtkEntry *entry = g_object_get_data(G_OBJECT(window), "NmapFE_entry");
 char *filename = g_object_get_data(G_OBJECT(window), "NmapFE_filename");
 
diff --git a/scan_engine.cc b/scan_engine.cc
index 9bad4364e..5672fd294 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -3092,6 +3092,14 @@ static bool get_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
 	    hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
 	  continue;
 	
+	/* Sometimes we get false results when scanning localhost with
+	   -p- because we scan localhost with src port = dst port and
+	   see our outgoing packet and think it is a response. */
+	if (probe->dport() == probe->sport() && 
+	    ip->ip_src.s_addr == ip->ip_dst.s_addr && 
+	    probe->ipid() == ip->ip_id)
+	  continue; /* We saw the packet we ourselves sent */
+
 	newstate = PORT_OPEN;
 	goodone = true;
       }
diff --git a/service_scan.cc b/service_scan.cc
index cdf307008..ac3a73e68 100644
--- a/service_scan.cc
+++ b/service_scan.cc
@@ -1908,6 +1908,7 @@ static int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG) {
   ServiceProbe *nextprobe;
   struct sockaddr_storage ss;
   size_t ss_len;
+  static int warn_no_scanning=1;
 
   while (SG->services_in_progress.size() < SG->ideal_parallelism &&
 	 !SG->services_remaining.empty()) {
@@ -1918,6 +1919,16 @@ static int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG) {
       continue;
     }
     nextprobe = svc->nextProbe(true);
+
+    if (nextprobe == NULL) {
+      if (warn_no_scanning && o.debugging) {
+        printf("Service scan: Not probing some ports due to low intensity\n");
+        warn_no_scanning=0;
+      }
+      end_svcprobe(nsp, PROBESTATE_FINISHED_NOMATCH, SG, svc, NULL);
+      continue;
+    }
+
     // We start by requesting a connection to the target
     if ((svc->niod = nsi_new(nsp, svc)) == NULL) {
       fatal("Failed to allocate Nsock I/O descriptor in launchSomeServiceProbes()");