Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 24 Feb 2010 20:38:25 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Linux 2.4.37.9-ow1; tcb 1.0.4; crypt_blowfish 1.0.4; JtR 1.7.4.2-jumbo-3

Hi,

This is to announce four minor updates at once:

1. The Linux 2.4 kernel patch has been updated to Linux 2.4.37.9.  One
of the changes made between 2.4.37.7 and 2.4.37.9 is a security fix for
the e1000 Ethernet driver issue that could have allowed remote attackers
to bypass packet filters (CVE-2009-4536).  The Linux 2.4.37.9-ow1 patch
additionally includes a post-2.4.37.9 fix for FAT filesystems:

http://www.openwall.com/linux/

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.8
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.9
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=940716e5206ebda003fca89b4ac1076b1fff5c99

2. We've released version 1.0.4 of our tcb suite (which implements the
alternative password shadowing scheme on Owl).  In this version, a
non-security buffer overflow bug with more than NGROUPS_MAX groups per
user has been fixed.  We do not treat the bug as a security issue
because there's no untrusted user input involved.  Also, the bug is not
even triggerable with typical uses of tcb, where the groups array in
question will be a root user's (perhaps just one group).

http://www.openwall.com/tcb/
http://www.openwall.com/tcb/ChangeLog

3. There's a minor update of crypt_blowfish (version 1.0.4), our public
domain password hashing framework for C/C++.  In this version, the check
for unsupported iteration counts has been corrected to reject certain
iteration counts that would previously be misinterpreted.  Also, section
.note.GNU-stack has been added to the x86 assembly file to avoid the
stack area unnecessarily being made executable on Linux systems that use
this convention.

http://www.openwall.com/crypt/

On a related note, a Python interface to crypt_blowfish by Daniel Holth
has been added to the contributed resources list on the crypt_blowfish
homepage:

http://www.openwall.com/crypt/#contrib

4. Revision 3 of the jumbo patch for JtR 1.7.4.2 has been released,
adding support for cracking NTLMv2 challenge/response exchanges
(contributed by JoMo-Kun), as well as support for Oracle 11g SHA-1 based
hashes (contributed by Alexandre Hamelin):

http://www.openwall.com/john/#contrib
http://www.openwall.com/lists/john-users/2010/02/14/1
http://www.openwall.com/lists/john-users/2010/02/12/2

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ