Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 19 Nov 2009 04:55:15 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Linux 2.4.37.7-ow1; passwdqc 1.1.4; new Owl ISO; public domain source code snippets

Hi,

This is to announce several things at once:

1. Linux 2.4.37.7-ow1 is out:

http://www.openwall.com/linux/

This is merely an update of the patch to the new 2.4.37.7 kernel
release, which fixes a number of security-related bugs:

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.7

One of these is documented as "fs: pipe.c null pointer dereference".
Let me use this opportunity to remind you that having vm.mmap_min_addr
set to a non-zero value is a must (e.g., it is set to 98304 on the
system I'm typing this on).  There are way too many NULL pointer
dereference bugs and they are and will be getting discovered too often
for reasonably keeping systems up-to-date with the fixes.  A better
strategy may be to treat possible vm.mmap_min_addr bypass bugs as higher
severity ones, simply because there's an expectation that there are a
lot fewer of these (if any are still left).  This is the strategy we're
going to use for Owl.  vm.mmap_min_addr has defaulted to non-zero
(specifically, 32768) in -ow patches and thus on Owl systems for a while.
Thus, we're not treating NULL pointer dereference bugs as "local root"
ones; instead, we'd treat possible vm.mmap_min_addr bypasses as such.

2. There's a new Owl-current ISO image for 32-bit x86 (generated on
November 17) available on our FTP mirrors:

http://www.openwall.com/Owl/DOWNLOAD.shtml

There's also a direct download link (using one of the mirrors) right on
the Owl homepage:

http://www.openwall.com/Owl/

This is a very minor update.  It uses Linux 2.4.37.7-ow1 as the kernel.

Quite possibly, this is the last Owl ISO snapshot to use a 2.4 kernel,
as we're working on fully switching Owl to 2.6 kernels.

3. We've released version 1.1.4 of passwdqc, our password/passphrase
strength checking and policy enforcement toolset:

http://www.openwall.com/passwdqc/

We declare version 1.1.4 the new "stable" release.  The changes since
1.1.3 are mostly limited to minor code and manual pages markup cleanups
(such as for proper formatting on OpenBSD, thanks to Kevin Steves and
Jason McIntyre).

We've learned that passwdqc releases are now being packaged for NetBSD:

http://pkgsrc.se/security/pam-passwdqc

(Many other OS distributions have been doing it for years.)

4. I have published some assorted source code snippets and frameworks
(mostly in C), which I placed in the public domain:

http://openwall.info/wiki/people/solar/software/public-domain-source-code

Some of these were available under Openwall before, some not.  Please
feel free to reuse these in your programs.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.