Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 15 Nov 2002 10:23:40 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: BIND 4.9.10-OW2, crypt_blowfish 0.4.5

Hi,

Yesterday I've put out the BIND 4.9.10-OW2 patch, which includes the
patch provided by ISC and thus has the two recently announced
vulnerabilities affecting BIND 4 fixed.  Previous versions of
BIND 4.9.x-OW patches, if used properly, significantly reduced the
impact of the "named" vulnerability.  The patches (and links to more
information on the vulnerabilities) are available at their usual
location:

	http://www.openwall.com/bind/

A patch against BIND 4.9.11 will appear as soon as this version is
officially released, although it will likely be effectively the same
as the currently available 4.9.10-OW2.

It hasn't been fully researched whether the resolver code in glibc,
and in particular on Openwall GNU/*/Linux (Owl), shares any of the
newly discovered BIND 4 resolver library vulnerabilities.  Analysis is
in progress.

Another recent update is crypt_blowfish 0.4.5, available at:

	http://www.openwall.com/crypt/

For those who didn't know, this is an implementation of a modern
password hashing algorithm, bcrypt, provided via the crypt(3) and a
reentrant interface.  bcrypt originates in OpenBSD, and now is also
used on Owl and a few other Linux distributions.  This release
corrects the x86-specific assembly code which was in fact not
reentrant (a bug), adds a test for proper behavior with multiple
threads (such that bugs like this don't get into a release again), and
is more careful about zeroing out sensitive data.  Of course, it is
already in Owl-current (in fact, crypt_blowfish is maintained as a
part of Owl).

-- 
/sd

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ