Date: Wed, 24 Feb 2010 20:38:25 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Subject: [openwall-announce] Linux 188.8.131.52-ow1; tcb 1.0.4; crypt_blowfish 1.0.4; JtR 184.108.40.206-jumbo-3 Hi, This is to announce four minor updates at once: 1. The Linux 2.4 kernel patch has been updated to Linux 220.127.116.11. One of the changes made between 18.104.22.168 and 22.214.171.124 is a security fix for the e1000 Ethernet driver issue that could have allowed remote attackers to bypass packet filters (CVE-2009-4536). The Linux 126.96.36.199-ow1 patch additionally includes a post-188.8.131.52 fix for FAT filesystems: http://www.openwall.com/linux/ http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-184.108.40.206 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-220.127.116.11 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536 http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=940716e5206ebda003fca89b4ac1076b1fff5c99 2. We've released version 1.0.4 of our tcb suite (which implements the alternative password shadowing scheme on Owl). In this version, a non-security buffer overflow bug with more than NGROUPS_MAX groups per user has been fixed. We do not treat the bug as a security issue because there's no untrusted user input involved. Also, the bug is not even triggerable with typical uses of tcb, where the groups array in question will be a root user's (perhaps just one group). http://www.openwall.com/tcb/ http://www.openwall.com/tcb/ChangeLog 3. There's a minor update of crypt_blowfish (version 1.0.4), our public domain password hashing framework for C/C++. In this version, the check for unsupported iteration counts has been corrected to reject certain iteration counts that would previously be misinterpreted. Also, section .note.GNU-stack has been added to the x86 assembly file to avoid the stack area unnecessarily being made executable on Linux systems that use this convention. http://www.openwall.com/crypt/ On a related note, a Python interface to crypt_blowfish by Daniel Holth has been added to the contributed resources list on the crypt_blowfish homepage: http://www.openwall.com/crypt/#contrib 4. Revision 3 of the jumbo patch for JtR 18.104.22.168 has been released, adding support for cracking NTLMv2 challenge/response exchanges (contributed by JoMo-Kun), as well as support for Oracle 11g SHA-1 based hashes (contributed by Alexandre Hamelin): http://www.openwall.com/john/#contrib http://www.openwall.com/lists/john-users/2010/02/14/1 http://www.openwall.com/lists/john-users/2010/02/12/2 Alexander
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.