Date: Fri, 6 Jan 2006 12:01:19 +0300 From: Solar Designer <solar@...nwall.com> To: announce@...ts.openwall.com Cc: owl-users@...ts.openwall.com Subject: crypt_blowfish 1.0 Hi, Marko Kreen has discovered and reported a minor security bug in our password hashing package, crypt_blowfish 0.4.7 and below. In response to this, I've released crypt_blowfish 1.0, with the bug fixed: http://www.openwall.com/crypt/ Since no other significant changes to the code have been made (or needed to be made) in a long time (despite active use of crypt_blowfish in a number of projects), I am considering this version mature enough to be called 1.0. The bug fixed with this release affected the way salts for extended DES-based and for MD5-based password hashes were generated with the crypt_gensalt*() family of functions. It would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types. crypt_gensalt*()'s functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish itself implements and for traditional DES-based crypt(3) hashes was not affected. Since bcrypt hashes were not affected, default installs of Owl were not affected either. The specific impact this could have on non-default installs of Owl is described in the latest Owl-current change log entry for glibc: http://www.openwall.com/Owl/CHANGES-current.shtml At this time, a similar glibc update for Owl 1.1-stable is not planned. Instead, we're planning to make another official release of Owl which would obsolete the 1.1-stable branch. As this crypt_blowfish bug is my own, and as I was well aware of this pitfall and avoided it in other places, I am very embarrassed about this. I apologize to anyone who might be affected for the exposure and inconvenience this causes. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.