Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 11 May 2015 13:31:31 +0300
From: Solar Designer <solar@...nwall.com>
To: Kash Pande <kash@...pleback.net>
Cc: oss-security@...ts.openwall.com
Subject: Re: openwall phpass fallback mode

Hi Kash,

On Sat, May 09, 2015 at 11:40:03PM -0400, Kash Pande wrote:
> http://www.openwall.com/phpass/
> 
> This library has an unfortunate consequence when using it in multiple
> environments without strong consistent access to one crypto method.. it
> will fall back to weaker methods, which breaks the expectations of
> security.. Fallback have been assigned CVE here before. As well, it is
> an openwall release.
> 
> I may be wrong and it could already be assigned one, but I don't see it.

I expect MITRE will decide on your CVE request, but meanwhile: what is
the purpose of your request?  Is it e.g. one or more of the below? -

1. Trying to propose/influence a change for phpass.  If so, what change?

2. Having a CVE ID to list e.g. in an advisory for some piece of
software where you or someone else has somehow "fixed" "the issue".
If so, what software and what's the fix?

3. Testing just how far CVEs can go, and whether/where the slippery
slope stops?  (Is there a CVE for "the world is not perfect" yet?)

4. Testing just how far CVEs can go as it relates specifically to
fallbacks?  (Where are the CVE IDs for autoconf, and also for all
individual autoconf'ed apps?  This actually makes some sense.)

5. Refining the criteria for which fallbacks are CVE worthy vs. not.

6. Getting this one CVE ID assigned for the sake of having one CVE ID,
and not making any use of it nor influencing anything further (thus,
having phpass with a CVE ID assigned and "the issue" not "fixed").

I am primarily interested in aspect #1 above - possible changes to the
actual code - rather than the CVE specifics.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.