Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 6 Jan 2006 12:01:19 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Cc: owl-users@...ts.openwall.com
Subject: crypt_blowfish 1.0

Hi,

Marko Kreen has discovered and reported a minor security bug in our
password hashing package, crypt_blowfish 0.4.7 and below.  In response
to this, I've released crypt_blowfish 1.0, with the bug fixed:

	http://www.openwall.com/crypt/

Since no other significant changes to the code have been made (or needed
to be made) in a long time (despite active use of crypt_blowfish in a
number of projects), I am considering this version mature enough to be
called 1.0.

The bug fixed with this release affected the way salts for extended
DES-based and for MD5-based password hashes were generated with the
crypt_gensalt*() family of functions.  It would result in a higher than
expected number of matching salts with large numbers of password hashes
of the affected types.  crypt_gensalt*()'s functionality for
Blowfish-based (bcrypt) hashes that crypt_blowfish itself implements and
for traditional DES-based crypt(3) hashes was not affected.

Since bcrypt hashes were not affected, default installs of Owl were not
affected either.  The specific impact this could have on non-default
installs of Owl is described in the latest Owl-current change log entry
for glibc:

	http://www.openwall.com/Owl/CHANGES-current.shtml

At this time, a similar glibc update for Owl 1.1-stable is not planned.
Instead, we're planning to make another official release of Owl which
would obsolete the 1.1-stable branch.

As this crypt_blowfish bug is my own, and as I was well aware of this
pitfall and avoided it in other places, I am very embarrassed about
this.  I apologize to anyone who might be affected for the exposure and
inconvenience this causes.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ