Date: Fri, 15 Nov 2002 10:23:40 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: BIND 4.9.10-OW2, crypt_blowfish 0.4.5 Hi, Yesterday I've put out the BIND 4.9.10-OW2 patch, which includes the patch provided by ISC and thus has the two recently announced vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches (and links to more information on the vulnerabilities) are available at their usual location: http://www.openwall.com/bind/ A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2. It hasn't been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux (Owl), shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress. Another recent update is crypt_blowfish 0.4.5, available at: http://www.openwall.com/crypt/ For those who didn't know, this is an implementation of a modern password hashing algorithm, bcrypt, provided via the crypt(3) and a reentrant interface. bcrypt originates in OpenBSD, and now is also used on Owl and a few other Linux distributions. This release corrects the x86-specific assembly code which was in fact not reentrant (a bug), adds a test for proper behavior with multiple threads (such that bugs like this don't get into a release again), and is more careful about zeroing out sensitive data. Of course, it is already in Owl-current (in fact, crypt_blowfish is maintained as a part of Owl). -- /sd
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.