These are current and archived Openwall news items as published on the main page of our website.
Additionally, you can
follow us on Twitter and
you might wish to review
archived postings to our announcement mailing list.
May 14, 2024
We've just
published the slides of Solar Designer's OffensiveCon 2024 keynote talk
"Password cracking: past, present, future".
March 4, 2024
We've just
published the slides of Solar Designer's talk
"Linux kernel remote logging: approaches, challenges, implementation" from BSidesZagreb 2024.
February 28, 2024
LKRG 0.9.8
is out,
adding a remote kernel message logging capability.
September 14, 2023
LKRG 0.9.7
is out,
adding support for Linux 6.4 to 6.5.x and hopefully beyond, as well as for new RHEL 9.1 and 9.2 kernels.
June 25, 2023
passwdqc 2.0.3
is out,
adding Cygwin support, pkg-config file, and assorted minor changes.
Also available is a corresponding update of
passwdqc for Windows,
adding password policy bypass for system-generated passwords for KRBTGT accounts.
Finally, the pre-generated leaked password filter files have been updated (quite a while ago) to include HIBP v8,
encoding the 847+ million unique passwords (from billions of accounts) in a 3.3 GiB (3.5 GB) file.
March 2, 2023
John the Ripper in the cloud has been
updated
to use the latest JtR jumbo on freshly updated Amazon Linux 2 with a newer NVIDIA GPU driver.
Many new AWS instance types are now supported.
December 14, 2022
LKRG 0.9.6
is out,
adding support for Linux 6.1, RHEL 8.7, current CentOS Stream 9 (upcoming RHEL 9.2),
along with a variety of other changes for portability, robustness, and extra security checks.
August 1, 2022
LKRG 0.9.5
is out,
adding support for new longterm kernels 5.10.133+ and reworked support for OverlayFS (Docker).
July 22, 2022
LKRG 0.9.4
is out,
featuring more consistent log messages suitable for both automated analysis and human consumption,
as well as adding support for more longterm Linux kernels and for the OpenRC init system.
April 21, 2022
LKRG 0.9.3
is out,
adding support for latest Linux kernels,
latest CentOS Stream 8/9 and upcoming RHEL 8.6+, openSUSE Leap, and loading into older Xen PV guests.
December 29, 2021
LKRG 0.9.2
is out,
adding support for new Linux kernels, and assorted bug fixes and enhancements.
April 27, 2021
LKRG 0.9.1
is out,
addressing various issues reported against the 0.9.0 release.
April 12, 2021
LKRG 0.9.0
is out,
with support for new Linux kernels, optionally building LKRG in kernel tree,
Continuous Integration (boot tests in VMs, including with Ubuntu's daily updated mainline kernels), and much more.
April 4, 2021
passwdqc 2.0.2
is out,
improving the formatting of auto-generated policy descriptions and adding the libpasswdqc(3) manual page.
March 10, 2021
Two minor updates:
passwdqc
2.0.1 offers improved auto-generated password/passphrase policy descriptions.
scanlogd
2.2.8 builds cleanly with recent glibc.
February 18, 2021
passwdqc 2.0.0
is out,
adding support for external wordlist, denylist, and binary filter files (improved cuckoo filters).
January 11, 2021
After 10 years since the previous release, we've just
released
version 1.2 of
tcb,
implementation of our alternative password shadowing scheme.
Changes include libxcrypt and recent glibc support, translated (non-English) messages support, and dropping of NIS/NIS+ support.
June 25, 2020
LKRG 0.8
is out,
adding support for latest Linux kernels, 32-bit ARM (LKRG 0.7 already had 64-bit), Raspberry Pi 3 & 4, improving scalability,
performance, and tradeoffs, adding the notion of profiles, new documentation, Phoronix Test Suite benchmarks, and much more.
December 25, 2019
passwdqc 1.4.0
is out,
adding optional non-English messages and Linux-PAM audit support.
July 21, 2019
LKRG 0.7
is out,
adding experimental support for ARM64 (AArch64) and grsecurity,
support for Linux kernels 5.1 and 5.2 (and hopefully beyond),
greater SMEP enforcement, and much more.
April 12, 2019
John the Ripper 1.9.0 core
is out.
Stay tuned for the 1.9.0-jumbo-1 release and announcement, which will be "the real one".
February 19, 2019
LKRG 0.6
is out,
adding experimental poor man's Control Flow Integrity support and much more.
November 12, 2018
LKRG 0.5
is out,
completing support for integrity checking of loaded kernel modules and
supporting kernels built with newer versions of GCC.
August 30, 2018
LKRG 0.4
is out,
adding support for Linux kernel 4.17+.
July 12, 2018
For historical reasons, multiple CPU mining focused cryptocurrencies use
yescrypt 0.5 as their proof-of-work (PoW) scheme.
We
introduce a separate project for the PoW use case:
yespower.
May 24, 2018
New
Owl security updates are
available
in the form of source code, RPMs, ISOs, and OpenVZ container templates
addressing CPU, Linux kernel, and procps issues.
April 22, 2018
yescrypt KDF and password hashing scheme has been
updated to 1.0.1,
improving the documentation with guidelines on parameter selection,
currently recommended parameter sets by use case,
and a comparison to scrypt and Argon2.
March 27, 2018
LKRG 0.2
is out,
with added support for loading at early boot stage (e.g., from initramfs), reduced performance impact, and bugs fixed.
February 9, 2018
LKRG 0.1
is out,
cleaned up and with support for Linux kernel 4.15 and RHEL 7.4.
November 19, 2017
We've just released
blists 2.0,
our web interface to mailing list archives that works off indexed mbox files.
Major enhancements since blists 1.0 include
downloadable attachments, re-encoding of content from any supported charsets to UTF-8,
lists of recent messages on each mailing list's main page, and new calendars on the year and month pages.
August 22, 2017
php_mt_seed 4.0
is out,
extending the range of supported PHP versions to include 7.1.0 and above (to current latest and hopefully beyond)
as well as 5.2.0 and below (all the way back to 3.0.7).
Previously, the range was from 5.2.1 to 7.0.x.
Also featuring
rewritten documentation.
August 6, 2017
php_mt_seed 3.3
is out,
extending the range of supported SIMD instruction sets to include SSE2 and AVX-512
(previously, the range was from SSE4.1 to AVX2 and MIC).
May 7, 2017
phpass 0.5
is out, providing PHP 7 friendliness and other minor cleanups.
August 25, 2016
New
Openwall GNU/*/Linux
ISO images and OpenVZ container templates
are out.
The updates since last summer are minor, and are mostly limited to bug
and security fixes.
July 22, 2016
A new version of our password/passphrase strength checking and enforcement
tool set,
passwdqc 1.3.1, is out,
fixing a bug with the rarely-used "non-unix" option of pam_passwdqc.
Bindings, ports, and third-party reimplementations of functionality from
passwdqc for/in Go, JavaScript, Perl, PHP, Python, and Ruby are now listed
among
passwdqc contributed resources.
We've just released
passwdqc for Windows.
March 5, 2016
We're introducing
OVE IDs, an alternative to CVE.
October 14, 2015
HPC Village
has recently been
updated to
include an NVIDIA GTX Titan X, the largest GPU card based on NVIDIA's latest
Maxwell architecture, due to sponsorship by
Sagitta HPC.
This is an opportunity for HPC (High Performance Computing) hobbyists
alike to program for a heterogeneous HPC platform. Participants are provided
with remote access to a server with multi-core CPUs and HPC accelerator cards
of different kinds - Intel MIC (Xeon Phi), AMD GPU, NVIDIA GPU. With the recent
update, there are two generations of GPU architectures available in the same
machine for each of AMD and NVIDIA. Some other hardware is also available in
additional machines. Eligible for HPC Village are Open Source software
developers and
ZeroNights 2015 attendees.
Please refer to the
HPC Village project web page
for a lot more detail, including for information on how to apply for an account.
August 2, 2015
New
Openwall GNU/*/Linux
ISO images and OpenVZ container templates
are out,
incorporating packages with security fixes accumulated since the previous
set of ISOs was generated in January.
Most notably, these include fixes for Linux kernel I/O vector array overrun
(CVE-2015-1805) and OpenVZ container escape (CVE-2015-2925), glibc GHOST
(CVE-2015-0235), OpenSSL FREAK (CVE-2015-0204), and BIND TKEY query DoS
(CVE-2015-5477).
November 28, 2014
Solar Designer's ZeroNights 2014 presentation non-slides (actually, a game)
entitled "Is infosec a game?" are now
available online.
August 31, 2014
Our Passwords^14, Skytalks, and WOOT '14 presentation slides
are now available online:
Energy-efficient bcrypt cracking by Katja Malvoni, Solar Designer, and Josip Knezovic.
This reflects progress made at this research project since we presented it last year.
November 4, 2013
We've just
turned our
php_mt_seed PHP mt_rand() seed cracker
from a proof-of-concept into a maintained project with its own homepage.
Changes implemented in October include AVX2 and Intel MIC (Xeon Phi) support,
as well as support for advanced invocation modes, which allow matching of
multiple, non-first, and/or inexact mt_rand() outputs to possible seed values.
October 25, 2013
HPC Village is our new project,
initially setup as a creative way to indirectly sponsor the upcoming
ZeroNights 2013 convention in
Moscow, Russia.
This is an opportunity for HPC (High Performance Computing) hobbyists alike to
program for a heterogeneous HPC platform. Participants are provided
with remote access to a server with multi-core CPUs and HPC accelerator cards
of different kinds - Intel MIC (Xeon Phi), AMD GPU, NVIDIA GPU.
Please refer to the
HPC Village project web page
for a lot more detail, including for information on how to apply for an account.
April 24, 2013
A new version of our password/passphrase strength checking and enforcement
tool set,
passwdqc 1.3.0, is out.
September 20, 2012
JtR 1.7.9-jumbo-7
is a bugfix-mostly release.
Besides the many bugfixes (mostly for issues introduced with -jumbo-6), this
release adds support for cracking KeePass 2.x and RAdmin 2.x passwords, more
varieties of PKZIP archives, GPU support under recent Mac OS X,
speedup at many of the previously supported formats,
and many minor features and documentation updates.
At the same time, we've also released
php_mt_seed, a PHP mt_rand() seed cracker
capable of testing all 2
32 seeds in 1 minute on an inexpensive CPU.
Finally, some of you might like to attend
Solar Designer's talk at YaC 2012 (October 1, Moscow, Russia).
The topic is future password hashing setups for Internet companies with
millions of users and passwords.
In a sense, this will be a continuation of
the PHDays talk,
with focus on specific challenges faced at and solutions affordable to this
sort of companies.
August 18, 2012
A new snapshot of Owl-current is available,
including ISO images, OpenVZ container templates,
binary packages for i686 and x86_64, and full sources.
Changes since the previous
set of ISOs and templates (May 8, 2012) include a further minor update of the
Linux/OpenVZ kernel to latest "testing" version in OpenVZ's RHEL5-based branch
(with our usual changes on top of that),
new versions of binutils, tcsh, xinetd, and OpenSSL (the latter two with
minor security fixes),
and minor changes to many Owl packages.
The system has been rebuilt with the new binutils, which required some tweaks
in various packages (now included, so further rebuilds work seamlessly).
This mostly conservative update of Owl-current is a precursor to a similar
update to 3.0-stable (except for the binutils upgrade and some other things),
and to more aggressive changes in Owl-current.
June 29, 2012
John the Ripper 1.7.9-jumbo-6
is the very first release to have GPU support (CUDA and OpenCL) integrated.
It is also the biggest -jumbo update so far, with over 40,000 lines of code
added since -jumbo-5.
Besides GPU support, this release adds support for
Mac OS X keychains, KeePass 1.x, Password Safe, ODF and Office 2007/2010 files,
Firefox/Thunderbird master passwords, RAR -p mode, WPA-PSK,
VNC and SIP challenge/responses, HMAC-SHA-*, IBM RACF, built-in SHA-crypt,
DragonFly BSD SHA-2, Django, Drupal 7, WoltLab BB3, new EPiServer,
GOST R 34.11-94, LinkedIn raw SHA-1 flavor -
with OpenMP, CUDA, and/or OpenCL for many of these.
Additionally, optimizations were made and OpenMP/CUDA/OpenCL added for many of
the previously-supported hashes and ciphers.
AMD XOP support was added for MD4, MD5, and SHA-1, for at least a 20% speedup
on Bulldozer at hashes building on these primitives and making use of the SIMD
interface.
Many main program features and tiny new programs were added.
May 8, 2012
A new snapshot of Owl-current is available,
including ISO images, OpenVZ container templates,
binary packages for i686 and x86_64, and full sources.
Significant changes since the previous
set of ISOs and templates (October 26, 2011) include
update of the Linux/OpenVZ kernel to one based on RHEL 5.8's,
GCC update to 4.6.3,
"gcc -Wl,-z,relro -Wl,-z,now" by default as a security hardening measure,
John the Ripper 1.7.9+ with enabled OpenMP parallelization,
move to ISOLINUX for the bootloader for the ISOs,
building of glibc's UTF-8 locales by default (despite of the size increase),
new versions of OpenSSL, lftp, strace, hdparm.
March 17, 2012
As many of you are aware, Openwall participated in Google Summer of Code
(GSoC) last year. We worked with 5 students under the GSoC program, we
got useful stuff done (with some of it being in mainline Linux kernels
and in released versions of John the Ripper now), and we met new people
some of whom are now involved with our projects.
So we're doing it again:
Openwall is a mentoring organization for Google Summer of Code 2012.
Interested students are welcome to check out our
ideas page and contact us.
Openwall wordlists collection
now comes with a bonus - two
lists of passwords commonly generated by pwgen 2.06 with default
settings for output to a tty and non-tty. These contain 44 and 45.5
million entries and they crack 21% and 75% of passwords of the
corresponding kind - for tty and non-tty, respectively. pwgen is a
fairly popular command-line password generator program for Unix systems.
It is part e.g. of Debian and Ubuntu.
November 9, 2011
John the Ripper 1.7.8-jumbo-8
is out.
This revision adds optional OpenMP parallelization for MD5-based crypt(3) and
Apache $apr1$ hashes when building with SSE2 intrinsics, as well as for
SAP CODVN B (BCODE) and SAP CODVN G (PASSCODE).
Many other enhancements
have been made as well.
Also added is a benchmark comparison tool.
October 26, 2011
An update of Owl 3.0-stable is available, including ISOs, OpenVZ
container templates, binary packages for i686 and x86-64, and indeed the
sources.
It includes kernel update to OpenVZ's latest stable RHEL 5.7-based (with our
usual changes),
security fixes to RPM (originally made and tested in Owl-current)
and to pam_env (which was not in use on default installs of Owl),
timezone data update (critical for Russia and some other countries),
and introduction of the hardlink(1) program.
At the same time,
Owl-current has moved to GCC 4.6.1.
This is a major development milestone towards Owl 4.0.
October 10, 2011
A new snapshot of Owl-current is available,
including a complete set of components:
ISO images, OpenVZ container templates, binary packages for i686 and x86_64,
and indeed the source code.
Significant changes since the previous
set of ISOs and templates (those of Owl 3.0-stable this time, generated a month
ago) include update of the Linux/OpenVZ kernel to one based on RHEL 5.7's,
introduction of tzdata package with up-to-date timezone data, and a security
fix to Owl's package of RPM (the package manager).
September 9, 2011
Openwall GNU/*/Linux
3.0-stable
has been updated
to include
almost all changes
made and tested in Owl-current in recent months,
including new package additions,
and excluding only changes that would break binary compatibility with the
3.0 release
(specifically, Owl-current's OpenSSL update and related changes are excluded
from 3.0-stable).
New ISO images and OpenVZ container templates of Owl 3.0-stable are available
for i686 and x86_64.
August 18, 2011
Some of the most active members of the
john-users mailing list hosted by Openwall
participated in
KoreLogic's "Crack Me If You Can"
password cracking contest at DEFCON earlier this month, as team
john-users. Openwall provided the team with a contest server,
which was used to coordinate activities of the team's members, to exchange
files, and to automatically submit cracked passwords to the contest
organizers.
The team consisted of 16 active members who ran
John the Ripper and a few other tools
on a total of over a hundred of CPU cores (estimated at 150 average, 300 peak)
over the 48-hour period.
We ended up taking 3rd place overall (out of 22), and we're
first for 5 out of 20 hash types.
Additionally, we temporarily held 1st place during the contest at two times.
The contest was fun and challenging, it helped us test some experimental
John the Ripper code and identify areas for further improvement.
Today, we're making available our
writeup on our experience in
the contest.
August 3, 2011
John the Ripper 1.7.8-jumbo-5 is out,
adding support for more character encodings via the new "--encoding" option
(utf-8, iso-8859-1, koi8-r, cp1251) and support for raw SHA-224, SHA-256,
SHA-384, and SHA-512 hashes.
July 27, 2011
A new snapshot of
Owl-current is available, including ISO images,
OpenVZ container templates, binary packages for i686 and x86_64, and indeed the
source code.
Significant changes since the previous
set of ISOs and templates (generated on March 12) include updates of the
RHEL5/OpenVZ Linux kernel, strace, Nmap, John the Ripper, iputils, iproute2,
and LILO to new upstream versions, security fixes and security-relevant
enhancements to Owl's packages of the kernel, iptables, RPM, glibc
(crypt_blowfish upgrade to 1.2), and addition of limited support for
LSISAS8208ELP disk controllers.
July 24, 2011
John the Ripper 1.7.8-jumbo-4
adds compile-time plugins, much faster MSCash2 (now uses SSE2, optionally along
with OpenMP), enhanced "generic MD5" (makes available more of the MD5 and SHA-1
based hash types under more of the build targets).
John the Ripper 1.7.8 has been
built for Android.
July 17, 2011
crypt_blowfish 1.2 and
tcb 1.1
have been released.
crypt_blowfish 1.2 adds a countermeasure to avoid one-correct to many-buggy
hash collisions with the "$2a$" prefix, and both crypt_blowfish and tcb move to
the new prefix of "$2y$" to denote correctly computed hashes that don't need
the countermeasure.
June 8, 2011
John the Ripper 1.7.7-jumbo-6
integrates preliminary support for several
non-hashes,
implemented under Dhiru Kholia's GSoC 2011 project.
Specifically, it supports cracking of
OpenSSH's passphrase-protected SSH protocol 2 private keys
(with OpenMP parallelization),
password-protected PDF files with 40-bit and 128-bit RC4 encryption,
and some password-protected RAR archives.
At the same time, it integrates support for password hashes of
Sybase ASE (also by Dhiru),
hmailserver (by James Nobis), and
MediaWiki "B" type (by JimF).
As usual, we've added many minor enhancements as well.
June 6, 2011
We've just released version 1.0 of
blists,
our web interface to mailing list archives that works off indexed mbox files.
Please feel free to use it for your own mailing lists.
We've setup a new mailing list, kernel-hardening.
The intent is to use it to discuss proposed security hardening changes to the
Linux kernel before possibly bringing them to LKML,
as well as to CC it on relevant LKML threads.
It is also OK to discuss hardening changes that are not meant for upstream.
June 3, 2011
John the Ripper 1.7.7-jumbo-5 is out.
This is possibly the largest single jumbo patch update made so far.
In this revision,
MD5 and SHA-1 based hashes have been sped up with SSE2/AVX intrinsics,
md5_gen has been expanded with more MD5-based hash types,
UTF-8 support has been added (the "--utf8" option),
MPI parallelization support for all cracking modes has been integrated, and
OpenMP parallelization support has been added to a few more hash types.
At the same time, three
new formats have been added: mskrb5 (offline attack on MS Kerberos 5
pre-authentication data), rawMD5unicode (MD5 of UCS-2 encoded
plaintext), and salted_sha1 (faster handling of some LDAP {SSHA} hashes).
The "unique" program, Markov mode, ETA display, and programming interfaces
have been enhanced.
Our web interface to archives of
Openwall's, Openwall-hosted, and
other relevant mailing lists
has been
enhanced
to include month and day index pages with message subjects and authors
(finally).
March 19, 2011
Openwall is a mentoring organization for Google Summer of Code 2011 (GSoC).
Here's our
GSoC organization profile and our
ideas list
(includes ideas on
Owl,
JtR, and more).
We'd like to
hear from
students interested in working on any of the ideas (or on their "own creative
and relevant idea"), as well as from prospective mentors.
We're already aware of some. :-)
Nmap project
summarizes GSoC as follows:
"This innovative and extraordinarily generous program provides $5,000
stipends to 1,000+ college and graduate students to create and enhance
open source software during their summer break. Students gain valuable
experience, get paid, strengthen their resume, and write code which will
be distributed freely and used by millions of people!"
March 13, 2011
The 2011/03/12 Owl-current snapshot
has finally deviated from Owl 3.0 and RHEL4 binary compatibility
(moving towards RHEL6 binary compatibility) by updating OpenSSL to 1.0.0d.
Besides OpenSSL, we've updated vsftpd to 2.3.4
(remote DoS vulnerability fix, CVE-2011-0762),
patchutils to 0.3.2,
and the Linux kernel to OpenVZ's latest "RHEL5 testing"
one (-238.5.1.el5.028stab085.2) with our usual changes.
At the same time,
we've made the first pre-compiled snapshot of Owl 3.0-stable available.
Compared to the 3.0 release, Owl 3.0-stable 2011/03/12 corrects a VIM packaging
error, a vulnerability in the patch(1) program (CVE-2010-4651),
two vulnerabilities in OpenSSL (CVE-2010-4180, CVE-2009-0590), which were at
worst of moderate severity, and it updates vsftpd to 2.3.4 (CVE-2011-0762 fix)
and patchutils to 0.3.2.
Earlier this month, we've setup
public mailing lists
for discussions around development of
Openwall GNU/*/Linux (owl-dev) and
John the Ripper (john-dev).
Previously, only user community public mailing lists existed for these projects
(owl-users and john-users, respectively).
February 17, 2011
John the Ripper 1.7.6-jumbo-12 is out.
This revision corrects the "generic MD5" self-test bug
(introduced in -jumbo-10).
It also enhances the MSCash and MSCash2 OpenMP parallelization to
adjust the number of key slots according to the number of threads.
February 6, 2011
We've made available the first Owl-current snapshot after our 3.0 release
(new ISO images, OpenVZ container templates, and indeed packages and sources).
Since the release,
we've moved from RHEL 5.5-based to RHEL 5.6-based Linux/OpenVZ kernels,
added support for
non-raw (datagram) ICMP sockets
and made use of said support in ping(1),
added several new packages (ethtool, pv ("Pipe Viewer"), bridge-utils,
libusb1, usbutils, vconfig),
updated to latest upstream versions of LILO, e2fsprogs, Nmap (adding Nping),
and made some other
enhancements and corrections.
Additionally, we've enhanced our infrastructure such that
Owl snapshots (and not just releases) are now
always PGP-signed.
John the Ripper jumbo patch revision 1.7.6-jumbo-11 is out.
This revision
corrects an x86-64-specific NTLM bug,
improves self-tests (which uncovered another bug, not yet fixed),
adds support for cracking
MSCash2 (Domain Cached Credentials of modern Windows systems)
with optional OpenMP parallelization,
and adds similar OpenMP parallelization for the original MSCash.
We'd like to thank bartavelle and S3nf for their contributions to this update.
Additionally, Simon John has built unofficial
RPM packages of JtR for 64-bit Fedora.
These are of the brand new 1.7.6-jumbo-11 with OpenMP parallelization enabled,
as well as of the older 1.7.6-omp-des-7, which provides OpenMP parallelization
for DES-based hashes (this is not part of the jumbo patch).
December 15, 2010
Openwall GNU/*/Linux (Owl) version 3.0 is finally out!
The
enhancements since Owl 2.0
include:
x86-64 support,
move to RHEL 5.5-like Linux 2.6 kernels (with additional changes),
kernel in an RPM package
designed to allow for easy non-RPM'ed kernel builds as well (optional),
integrated OpenVZ container-based virtualization (optional),
"make iso" and "make vztemplate" targets in the build environment
(to easily generate new Owl CD images and OpenVZ container
templates, respectively),
ext4 filesystem support
(in fact, Owl 3.0's installer offers ext4 by default,
with ext3 and ext2 still available as options),
xz compression support (LZMA, LZMA2) throughout the system
(not only xz* commands, but also support in tar, rpm, less, color ls output),
a few new packages
(smartmontools, mdadm, cdrkit, pciutils, dmidecode, vzctl, vzquota, xz),
lots of package updates,
improved hardware compatibility and
more intuitive installation process,
credentials logging in syslogd (the sender's UID and PID are logged),
key blacklisting support in OpenSSH,
and many other enhancements and corrections.
After the release, we intend to proceed with further development under
Owl-current and to maintain the newly-created Owl 3.0-stable branch until
the next release, as usual.
Compared to the December 9 snapshot of Owl-current, the 3.0 release
makes some corrections to support
upgrades from Owl 2.0
and it adds some security fixes to Perl
(for issues that affected relatively obscure and inherently risky uses of Perl
and its modules).
December 10, 2010
There are new
Owl-current ISOs, OpenVZ container templates, and
pre-built packages for i686 and x86-64.
Compared to the September 24 snapshot, the Linux/OpenVZ kernel has once again
been updated to OpenVZ's latest from their "RHEL5 testing" branch, with some
additional security fixes and security hardening measures added on top of it.
Many packages have been updated to new upstream versions: binutils, hdparm, ed,
man-pages, diffstat, flex, ncurses, VIM, Linux-PAM, GnuPG, cdrkit, iptables,
SysVinit, smartmontools, lftp, xz, Postfix.
Finally, many minor enhancements to various Owl packages have been made.
Please refer to the
change log for details.
September 25, 2010
New
Owl-current ISOs, OpenVZ container templates, and
pre-built packages for i686 and x86-64 have been made available yesterday.
(Indeed, the full source code is always available as well.)
Most importantly,
the kernel has been updated to include a fix for CVE-2010-3081
(this was a "local root" and "container escape" vulnerability on 64-bit kernels
built with 32-bit compatibility enabled).
Some other updates since the September 3 snapshot include the introduction
of xz and lzma compression support (the xz package and changes made to rpm,
less, and coreutils),
new upstream versions of lftp, bzip2 (CVE-2010-0405 fix), grep, hdparm, and
OpenVZ kernel (2.6.18-194.11.3.el5.028stab071.5 with our changes), and
our new version of pam_mktemp.
September 20, 2010
pam_mktemp 1.1.1 is out.
pam_mktemp provides per-user directories under /tmp.
This new release adds SELinux support,
Solaris support (requires GNU make and gcc),
and makes the use of the append-only flag with ext2/3/4 filesystems optional.
September 3, 2010
There's a new snapshot of
Owl-current available on our
FTP mirrors.
Besides the full source code, this includes pre-built packages, ISOs,
and OpenVZ container templates for i686 and x86-64.
As usual, there are also
direct download links to the ISOs on the Owl homepage.
In this snapshot, the kernel has been updated to OpenVZ's latest from their "RHEL5 testing" branch (2.6.18-194.11.3.el5.028stab071.3) with minor additional changes.
CD bootup and the installer have been improved some further.
The e2fsprogs, diffutils, bison, man-pages, man, diffstat, gawk, cdrkit, iptables, sed, grep, ltrace, hdparm, mktemp, vsftpd, acct, file, and m4 packages have been updated to new upstream versions.
Assorted minor improvements have been made and/or bugfixes applied to several other packages.
Please refer to the
change log for more
information on some of these changes.
August 7, 2010
The July 29 snapshot of Owl-current (announced below) is now available for
purchase on CD (both 32- and 64-bit).
July 30, 2010
New ISO images and pre-created OpenVZ container templates of
Owl-current
for i686 and x86-64 are available on our
FTP mirrors.
The ISOs are also available via
direct download links on the Owl homepage.
We have once again updated Owl to use OpenVZ's latest kernel from their "rhel5"
branch, and we've switched to using RPM-packaged kernels,
but in a way allowing for easy non-packaged builds as well.
At the same time, we've introduced support for the ext4 filesystem
(in fact, it is now offered by default for new installs),
and we've improved CD bootup and the installer ("settle") in numerous ways.
The packages of passwdqc, strace, lftp, tcb, JtR, and Postfix
have been updated to new versions,
and changes have been made to several other packages.
Please refer to the
change log for more
information on some of the changes.
July 5, 2010
John the Ripper 1.7.6,
originally released as a development version because of the extent of the
changes made, has been re-labeled the new stable version.
There hasn't been a single bug report against this version since it was
released over two weeks ago, yet people successfully built, ran, and some even
packaged it on a variety of operating systems.
Steven M. Christensen of
Sunfreeware has produced
packages of JtR 1.7.6 for many versions of Solaris,
both SPARC and x86, including both 32-bit and 64-bit builds.
GI John - Grid implemented John the Ripper, a curious non-Openwall project -
has been updated to build upon JtR 1.7.6-jumbo-3.
June 14, 2010
John the Ripper version 1.7.6 is out.
This is a development version
adding generic crypt(3) support
(e.g., to be used for SHA-crypt and SunMD5 hashes),
optional partial parallelization with OpenMP
(of the new generic crypt(3) code on Linux and Solaris and
of John's optimized code for the OpenBSD-style Blowfish-based crypt(3) hashes),
more optimal DES S-box expressions for PowerPC with AltiVec,
as well as making minor usability improvements
and reworking the bitslice DES C source code.
Please refer to the
change log and the
john-users announcement
for more detail.
June 13, 2010
The
tcb suite,
implementing our alternative password shadowing scheme on
Owl (and reused by a number of other systems),
has been updated to version 1.0.6.
The only
change
since version 1.0.5 is removal of a faulty check for sparse files.
This change was needed for compatibility with modern filesystems such as btrfs.
June 6, 2010
"How to manage a PHP application's users and passwords" has been republished
on the Openwall website.
At the same time, three old Openwall security advisories have been updated to
focus on currently relevant aspects and turned into
articles.
May 27, 2010
Solar Designer's
article entitled "How to manage a PHP application's users and passwords"
has been
published on the Month of PHP Security website.
"In this article/tutorial, I will guide you through the steps needed to
introduce proper (in my opinion at least) user/password management into a new
PHP application.
I will start by briefly explaining password/passphrase hashing and
how to access the database safely.
Then we will proceed through several revisions of the sample program.
We'll start with a very simple PHP program capable of creating new users
only and having some subtle issues.
We will gradually improve this program adding functionality
(logging in to existing user accounts, changing user passwords, and
enforcing a password policy)
and "discovering" and dealing with the issues.
We will also briefly touch many related topics.
John the Ripper's implementation of OpenBSD-style
Blowfish-based crypt(3) hashes is being parallelized with OpenMP
(which is readily available with recent C compilers, including with gcc).
This is expected to be made official with the next development release.
Meanwhile, there's
a patch on the wiki,
and here are
benchmarks on 8-way x86-64 systems
(Core i7 and Dual quad-core Xeon) and
32-way UltraSPARC T2
(quad-core, 8 threads per core).
April 25, 2010
The
jumbo patch
for
John the Ripper 1.7.5
has been updated to revision 3.
Most notably, this
adds documentation on LM/NTLM challenge/response authentication cracking
(doc/NETNTLM_README),
improves the netntlm.pl script,
and adds the "--config" option.
These changes have been
contributed by JoMo-Kun.
April 22, 2010
There's a new revision of our
PHP password hashing framework - phpass 0.3.
This revision no longer requires the getmypid() PHP function
(which a few shared hosting providers disable)
and it supports the "$H$" hash encoding prefix (as used by phpBB3).
Also, the size of an array in the C reimplementation,
which is unused by the framework itself, has been corrected
(thanks to Christian von Schultz for reporting the bug).
March 27, 2010
passwdqc 1.2.1
is out.
In this version, a password strength check has been adjusted to no longer
subject certain passwords that start with a digit and/or end with a capital
letter to an unintentionally stricter policy.
March 23, 2010
Today's ISO images and pre-created OpenVZ container templates of
Owl-current
for x86 and x86-64 are currently propagating to our
FTP mirrors.
The ISOs are also available via
direct download links on the
Owl homepage.
We have updated Owl to use OpenVZ's latest kernel from their "rhel5" branch,
with RHEL5 patches further updated from Red Hat's latest stable kernel
and with some minor changes of our own.
The packages of gzip, VIM, tcb, JtR, tcsh, quota, passwdqc, libnids,
pciutils, hdparm, and tar have been updated to new versions or patchlevels,
and changes have been made to several other packages.
Please refer to the
change log for more
information on some of the changes.
March 16, 2010
Version 1.2.0 of
passwdqc, our proactive password/passphrase strength checking and policy enforcement toolset,
is out.
The
pwqcheck program is now
directly usable by OpenBSD,
and it is able to check multiple passwords/passphrases at once
(e.g., for policy testing on large password/passphrase lists).
The random passphrases offered by
pam_passwdqc,
pwqgen, as well as by the
passwdqc_random()
function in
libpasswdqc, will now encode more entropy per separator
character and per word, increasing their default size from 42 to 47 bits.
Substring matching will now partially discount rather than fully remove weak
substrings, support leetspeak, and detect some common sequences of characters
(sequential digits, letters in alphabetical order, adjacent keys on a keyboard).
The passphrase strength checking code will now detect and allow passphrases
with non-ASCII (8-bit) characters in the words.
A number of optimizations have been made resulting in significant speedup
of
passwdqc_check() on real-world passwords.
RPM packages can now be built out of the distribution tarballs.
We've setup a
web page with screenshots demonstrating the uses and setup of passwdqc on
Openwall GNU/*/Linux,
as well as a
wiki page with password strength policy considerations
aimed at systems administrators deploying and configuring passwdqc.
We have also setup the passwdqc-users mailing list.
Please use it to share your experience with passwdqc and ask questions.
The subscription instructions are found right on the
passwdqc homepage.
Social bookmarking buttons have been added to most pages on the Openwall
website, as well as on
the Wiki.
Please use these to add your favorite Openwall web pages to your favorite
social websites.
February 25, 2010
The
tcb suite
has been updated further to version 1.0.5.
The primary
change
since version 1.0.4 is the reduction of the .data section size
and thus of on-disk size of some components by 256 KB
when tcb is compiled against Linux 2.6 kernel headers.
February 24, 2010
There's a minor update of
crypt_blowfish (version 1.0.4),
our public domain password hashing framework for C/C++.
In this version, the check for unsupported iteration counts has been corrected
to reject certain iteration counts that would previously be misinterpreted.
Also, section .note.GNU-stack has been added to the x86 assembly file to avoid
the stack area unnecessarily being made executable on Linux systems that use
this convention.
On a related note, a Python interface to crypt_blowfish by Daniel Holth
has been added to the
contributed resources list on the crypt_blowfish homepage.
January 28, 2010
Fresh ISO images and pre-created OpenVZ container templates of
Owl-current for x86 and x86-64 (generated today)
are available on our
FTP mirrors.
There are also direct download links for the ISOs on the
Owl homepage.
The "make vztemplate" target has been added to the Owl build environment,
making it easy for us and for Owl users to generate new OpenVZ container
templates of the Owl userland.
The 32-bit x86 userland is now being built for "i686" (Pentium Pro and above)
by default.
The packages of JtR, Nmap, and pciutils have been updated to new versions,
libtool and gzip had minor security vulnerabilities fixed,
and changes have been made to several other packages.
Please refer to the
change log for more detailed information on some of the changes.
Martin F. Krafft adopted the
passwdqc
Debian package and brought it up to date.
Our password/passphrase strength checking and policy enforcement toolset
now integrates nicely with PAM on Debian systems,
and command-line utilities as well as the shared library providing the
functionality will soon be available in separate packages.
November 23, 2009
Fresh ISO images of
Owl-current for x86 and x86-64 (generated today)
are available on our
FTP mirrors.
There are also direct download links on the
Owl homepage.
These ISOs represent a major development milestone.
We have replaced the default kernel with a 2.6 OpenVZ one
(featuring optional container-based virtualization),
we've integrated OpenVZ tools
(vzctl and vzquota packages needed to
create, control, examine, and/or destroy OpenVZ containers), and
we've dropped support for Linux 2.4 kernels
(although they're still supported in the maintained Owl 2.0-stable branch).
Besides various changes related to the new kernel and OpenVZ integration,
we've updated vsftpd and diffstat to new upstream versions.
Please refer to the
announcement and the
change log for more detailed information on the changes.
November 18, 2009
We've learned that
passwdqc releases are now being
packaged for NetBSD.
(Many other OS distributions have been doing it for years.)
There's a new ISO image of
Owl-current for 32-bit x86 (generated on November 17)
available on our
FTP mirrors.
It uses Linux 2.4.37.7-ow1 as its default kernel.
Solar Designer
has published some
source code snippets and frameworks (mostly in C),
which he placed in the public domain.
Please feel free to reuse these in your programs.
November 17, 2009
We've just released
passwdqc 1.1.4,
which we declare the new stable release.
The changes since 1.1.3 are mostly limited to minor code and manual pages
markup cleanups (such as for proper formatting on OpenBSD).
October 26, 2009
Fresh ISO images of
Owl-current for x86 and x86-64 (generated on October 25)
are available on our
FTP mirrors.
There are also direct download links on the
Owl homepage.
These ISOs use Linux 2.4.37.6-ow1 as the kernel, and,
compared to last month's ISO snapshots, they
contain updated versions of many packages
(vsftpd, iptables, passwdqc, cpio, e2fsprogs, strace, VIM, and xinetd).
October 25, 2009
Linux 2.4.37.6-ow1 is out.
The 2.4.37.6 kernel fixes a number of information leak vulnerabilities.
One of these was already fixed in 2.4.37.5-ow1,
and the remaining ones may or may not affect specific systems
depending on both kernel and userspace configuration.
October 24, 2009
We've just setup an unofficial
mirror of http://www.packetfactory.net.
We did this because the main Packetfactory site appeared to have gone down
"permanently" (staying down for about a year), whereas much of its content was
still valuable.
The Packetfactory was hosting a number of networking and network security
projects (with a focus on raw IP networking) and related publications.
All of this content is now available on the mirror, although some of the
projects (the actively maintained ones) have since moved elsewhere.
October 23, 2009
passwdqc 1.1.3
introduces an "official" and documented way to build and install
all components but the PAM module on systems without PAM.
At the same time, we've
enhanced the "personal login information" check to consider
the user's home directory path and name
(in addition to the username and full name),
made the code even more portable,
and relaxed the license even further.
October 17, 2009
passwdqc, our password/passphrase strength checking toolset,
has been updated further to version 1.1.2.
The changes since 1.1.0 are mostly focused on restoring portability to
non-Linux platforms (which we broke with the introduction of lots of new
functionality between 1.0.5 and 1.1.0) and on improving the "protocol"
used by the pwqcheck and pwqgen programs.
(passwdqc 1.1.x are considered "development" versions,
although this is primarily because of their potentially more limited
out-of-the-box portability.
The current "stable" version is pam_passwdqc 1.0.5, which readily supports
Linux, FreeBSD, Solaris, and HP-UX.
Additionally, there's a plugin password strength checker for OpenBSD.)
October 15, 2009
We have revised the online version of
«
IPv6: What, Why, How»,
a presentation by Jen Linkova aka Furry.
Most notably, we've introduced an
index page with small but legible images of the 60 slides.
The slides are clickable for higher-resolution and "live" versions (with
up-to-date IPv4 address space exhaustion data from external sources).
The presentation covers topics such as IPv4 address distribution and
address space exhaustion, current approaches at conserving IPv4 address
space usage, IPv6 as the solution, IPv6 address format, examples, and
address types, interface ID and address (auto)configuration, privacy
concerns, IPv6 packet header format (in comparison to IPv4),
fragmentation, ICMPv6 (and how it replaces multiple IPv4 control
protocols), Neighbor Discovery (ND) and how to secure it, IPv6 & DNS,
migration from IPv4 (including dual-stack nodes, tunneling, and address
translation), related security concerns, a summary of advantages of
IPv6, common misconceptions around IPv6, and more.
October 12, 2009
We have turned our pam_passwdqc package (which was up to version 1.0.5)
into a password/passphrase strength checking toolset called simply
passwdqc (now at version 1.1.0).
Specifically, we have introduced
libpasswdqc (a password/passphrase strength checking library),
pwqcheck (a standalone password/passphrase strength checking program), and
pwqgen (a standalone random passphrase generator program),
in addition to the PAM module, which is now built upon libpasswdqc.
We have also added the config=FILE option to allow for specifying the
password/passphrase policy in a configuration file rather than on the
command-line.
Finally, we've revised the documentation,
including introduction of manual pages for the new components.
All of this is mostly due to work by Dmitry V. Levin
(some of it originally for ALT Linux).
September 20, 2009
John the Ripper 1.7.3.4 has been released,
along with an update of the jumbo patch to this new version.
The
changes made since 1.7.3.1
are intended primarily for use by packagers of JtR,
such as for *BSD "ports" and Linux distributions.
Since version 1.7.3.1 has existed for a year and proved to be reliable,
and since the changes between 1.7.3.1 and 1.7.3.4 are so minor,
1.7.3.4 is being declared the new "stable" release.
There are fresh ISO images of
Owl-current (for x86 and x86-64) available on our
FTP mirrors.
These were generated on September 17, and they contain the
package updates and build environment enhancements that we made lately
(new versions of m4, Linux-PAM, bison, ed, Postfix, ELinks, GnuPG, JtR;
a new tri-state setting in the build environment
to control whether the testsuites are to be run).
August 25, 2009
There are new ISO images of Owl-current (for x86 and x86-64) available on our
FTP mirrors.
These use the Linux 2.4.37.5-ow1 kernel, and they contain various
package updates that we made lately.
August 3, 2009
Linux 2.4.37.4-ow1 is out.
The 2.4.37.4 kernel integrates a replacement for the "personality" hardening
measure introduced in 2.4.37.3-ow1.
July 20, 2009
Linux 2.4.37.3-ow1 is out.
Besides being an update to the new kernel release, this revision of the patch
introduces an additional security hardening measure where the kernel will
no longer allow the "personality" feature (which is needed to support some
program binaries from other operating systems) to be abused to bypass the
vm.mmap_min_addr restriction via SUID-root programs with a certain class of
design errors in them.
July 19, 2009
Nmap 5.00,
a major new version of the Nmap Security Scanner,
has been released earlier this week, and we got it into
Owl-current (on the release day, in fact).
We have also released a new ISO-9660 image of Owl-current,
including Nmap 5.00 (with our usual changes for privilege reduction and
with some post-release fixes) usable right off the live CD
(as well as installable indeed), and more.
Please
see the full announcement here.
July 7, 2009
Linux 2.4.37.2-ow1 is out.
This is merely an update to the new kernel version.
At the same time, a new ISO image of Owl-current is made available,
including an OpenSSH security update, a man-pages update,
and two new packages (pciutils and dmidecode), along with the kernel update.
July 6, 2009
PHP 5.3.0 has been released, integrating our
crypt_blowfish code
right into default builds of the PHP interpreter.
This is good news for users of our
PHP password hashing framework, phpass,
because it means that the
bcrypt hashes preferred by phpass will be
portable across systems running PHP 5.3.0+ (as well as portable to some systems
running older versions of PHP, like before), and that fallbacks to weaker hash
types will never occur on PHP 5.3.0+ (unless forced by the programmer).
PHP 5.3.0+ also integrates our revision of the FreeSec code from the
glibc package on Owl, implementing DES-based hashes.
All of this is due to work by Pierre Joye.
Finally, PHP 5.3.0+ replaces the integrated implementation of MD5 with one from
popa3d for slightly better performance
(e.g., of the phpass "portable hashes", which are MD5-based).
May 24, 2009
Linux 2.4.37.1-ow1 is out.
Linux 2.4.37.1, compared to 2.4.35-ow2,
adds numerous security-relevant fixes to various kernel subsystems.
April 29, 2009
A standalone program to call the password complexity checking functions of
pam_passwdqc (e.g., from a script) has been
contributed by Wolfram Wagner and added to the contributed resources list
on the
pam_passwdqc homepage.
March 27, 2009
The collection of
PWDUMP tools
has been updated.
These tools can be used to obtain password hashes from Windows systems
for password security auditing or password recovery.
March 18, 2009
We have just published
«
IPv6: What, Why, How»,
a presentation by Jen Linkova aka Furry.
August 25, 2008
As
announced on john-users,
the jumbo patch has been updated to
John the Ripper version 1.7.3.1.
Revision 2 of the patch for JtR 1.7.3.1 adds
support for SAP passwords (by sap friend),
support for NetScreen ScreenOS passwords (by Samuel Mońux),
other contributed improvements,
some generic improvements originally introduced in JtR Pro,
and many bug and portability fixes
(for issues seen with previous revisions of jumbo patches).
Please refer to the
announcement for more detail.
July 18, 2008
John the Ripper 1.7.3.1
(another "development" version) is out.
This is a minor update,
which corrects the x86 assembly files for building on Mac OS X
and adds some generic changes from JtR Pro.
July 16, 2008
There's a
beta version of John the Ripper Pro 1.7.3.1 for Mac OS X
included with every new purchase (and free for everyone who has purchased the
product in the past).
Similarly to JtR Pro for Linux, besides the update to 1.7.3+,
this version adds
official support for Windows NTLM (MD4-based)
and Mac OS X 10.4+ salted SHA-1 hashes,
and it includes
native support for 64-bit capable Intel CPUs on
Mac OS X 10.5+ (Leopard) within the Universal binary,
which makes use of 64-bit mode extended SSE2.
Also included is the brand new XPWDUMP tool, which dumps password hashes
from Mac OS X systems for subsequent auditing/cracking.
As a bonus, the full source code is also provided (it was not provided
with 1.7.2
Pro for Mac OS X, the focus of which was on packaging,
but with so many exciting new features, we're also being generous and we
do share the revised and enhanced source code this time,
including several added source files).
July 13, 2008
John the Ripper Pro 1.7.3 for Linux
is out.
Besides the update to 1.7.3 (and thus including all of the improvements of
that version in a well-tested native package),
new with this release is
official support for Windows NTLM (MD4-based)
and Mac OS X 10.4+ salted SHA-1 hashes.
Also included is a pre-built RPM package for 64-bit capable systems,
which makes use of 64-bit mode extended SSE2.
This is a free upgrade for everyone who has purchased the product in the past.
July 10, 2008
John the Ripper 1.7.3 (a "development" version) is out,
focusing on better x86-64 support.
Most notably, two
Blowfish-based crypt(3)
hashes may now be computed in parallel for much better performance on
x86-64 CPUs, and new make targets have been added for Mac OS X 10.5+ (Leopard)
and recent versions of Solaris on 64-bit capable x86 processors, producing
64-bit builds that make use of the 64-bit mode extended SSE2.
As a bonus, "DumbForce" and "KnownForce" external mode samples have been added
to the default john.conf.
May 2, 2008
We've just setup the
Openwall community wiki.
The idea is to have a wiki "namespace" for each of our major projects,
maybe resembling the structure of the main Openwall website -
e.g., we have namespaces for Owl and John the Ripper.
Users of our software and Openwall team members can populate those
namespaces with relevant content.
If you have something relevant to share,
please register for a wiki account and edit away!
April 21, 2008
Revision 12 of the jumbo patch for
John the Ripper 1.7.2 is out, adding support for
HMAC-MD5 (by bartavelle),
LMv2 challenge/response
(by JoMo-Kun),
half-of-LM-response (by Dhirendra Singh Kholia),
EPiServer SID hashes (by Johannes Gumbel),
and md5(md5($password) . $salt) as commonly used in PHP applications
(by Albert Veli).
This revision also includes
a much faster implementation of old MySQL hashes
(by Balázs Bucsay and Péter Kasza).
April 12, 2008
Solar Designer of Openwall has participated in an IBM-organized
Global Innovation Outlook (GIO) "deep dive"
on Security and Society (a day long brainstorming session, with only
short coffee breaks and a lunch break).
This dive was held on April 10 (with a welcome dinner the day before)
in a fine 5-star hotel in the heart of Moscow.
Five more dives on the topic are to follow in other cities around the world,
then IBM is to publish a report.
Meanwhile, you can find reports on past GIO topics on the IBM website,
as well as read and comment on the
GIO blog (maintained by
Dan Briody).
We have joined the
oCERT project
(the Open Source Computer Emergency Response Team), in two ways:
Solar Designer serves on the advisory board of oCERT (since February),
and Openwall is a registered public member of oCERT such that we can be sure
to receive notification of vulnerabilities pertaining to our software (and,
far more likely, to third-party software that we redistribute as part of
Openwall GNU/*/Linux) that will be handled via oCERT.
Other Open Source projects are welcome to register with oCERT, too.
March 1, 2008
A couple of weeks ago, we have setup the
Open Source Software Security (oss-security) Wiki,
which is the counterpart to the
oss-security mailing list, and we have the initial content in place by now.
Both the wiki and the mailing list are a product of cooperation amongst
various Open Source software vendors, projects, and researchers.
The purpose of the oss-security group is to encourage public discussion
of security flaws, concepts, and practices in the Open Source community.
February 17, 2008
Archives of two Openwall-hosted community mailing lists,
oss-security and xvendor, are now
available on this website.
oss-security
is a new discussion and collaboration mailing list
for people involved with Open Source projects who care about security.
xvendor
is a very low volume list for information exchange between Unix-like OS
distribution vendors (mostly Linux), and it has existed since 2002.
February 13, 2008
A new minor release of
pam_passwdqc - version 1.0.5 - is out.
In this version, the separator characters (used for randomly generated
"passphrases") have been replaced with some of those defined by RFC 3986
as being safe within "userinfo" part of URLs without encoding, the
default minimum length for passphrases has been reduced from 12 to 11
characters, and corrections to the documentation have been made.
February 12, 2008
Alexander Chemeris has contributed a Python module port of
phpass 0.1,
allowing for phpass portable hashes to be checked from Python applications.
The module is linked from the contributed resources list on the
phpass homepage.
December 15, 2007
Three popular web applications -
phpBB3 (3.0.0 release),
WordPress, and bbPress (current development versions) - have integrated our
PHP password hashing framework (phpass)
to provide more secure "storage" of users' passwords
(of course, the passwords are not actually stored; the
hashes are).
Additionally, there's a module for Drupal 5 and patches for various
development versions of Drupal to make use of phpass.
The links for these can be found at the bottom of the
phpass homepage.
November 14, 2007
Revision 9 of the jumbo patch for
John the Ripper 1.7.2 is out,
adding support for MySQL 4.1+ hashes based on SHA-1 (by Marti Raudsepp)
and for Oracle hashes based on DES (by Simon Marechal).
This revision also improves the performance at Mac OS X 10.4+ salted
SHA-1 hashes for the multi-salt case.
October 30, 2007
Revision 8 of the jumbo patch for
John the Ripper 1.7.2 is out.
This revision adds support for Mac OS X 10.4+ salted SHA-1 hashes,
as well as for two MS SQL hash types.
August 14, 2007
Linux 2.4.35-ow2 is out,
including a fix for the parent process death signal vulnerability
in the Linux kernel and two new security hardening features.
June 6, 2007
There's a new ISO-9660 image of
Owl-current.
The following packages have been
significantly updated
since the last ISO snapshot (January 9, 2007):
PCRE, strace, BIND, OpenSSL, GnuPG, lftp, ELinks, file, Mutt, owl-cdrom.
New with this ISO is support for booting off SATA and USB CD-ROM drives,
in addition to IDE and SCSI ones (which were supported previously).
(Obviously, not all SATA and SCSI controllers are supported, but the goal
is to include support for common ones.)
JoMo-Kun has
contributed a patch
to add support for cracking of sniffed
LM/NTLMv1 challenge/response exchanges to John the Ripper.
The patch is now listed on
John the Ripper homepage
and it is part of the latest revision of the jumbo patch for
John the Ripper 1.7.2.
March 20, 2007
Alain Espinosa's NTLM (MD4-based) hashes support patch for
John the Ripper
has been further updated to include optional SSE2 code for x86 and x86-64,
resulting in even better performance.
February 25, 2007
The NTLM (MD4-based) and Windows credentials cache hashes support patches
for John the Ripper linked from the contributed resources list on the
John the Ripper homepage
have been replaced with much faster (yet portable) implementations
contributed by Alain Espinosa.
January 13, 2007
The
Owl build environment has been enhanced to automate
the generation of ISO-9660 images of Owl bootable CDs.
This should enable us to put out updated ISOs of Owl-current more often,
and we have just made one available under /pub/Owl/current/iso on the
FTP mirrors.
The following packages have been
significantly updated
since the 2.0 release, listed in order of first change:
tar, bash, coreutils, sed, iptables, John the Ripper, Nmap, GnuPG, Postfix,
setarch, netlist, gettext, db4, lftp, vixie-cron, Perl, acct, readline,
chkconfig, vsftpd, BIND, bison, libtool, make, Linux-PAM, e2fsprogs, which,
automake, patchutils, hdparm, Mutt, OpenSSL, gpm, gzip, the DHCP suite,
OpenSSH, screen, texinfo, RPM,
the installer (owl-setup),
and the Linux kernel.
The following new packages have been added: smartmontools and mkisofs.
Additionally, with the updated build environment (that is part of Owl as
released to the public), Owl users will be able to generate their own
Owl ISOs.
October 29, 2006
We're starting to make available contributed Owl packages
under /pub/Owl/contrib on the
FTP mirrors.
So far, 60+ packages for Owl 2.0 and 2.0-stable have been contributed by op5 AB.
Please note that none of these packages are officially supported by the Openwall team.
At the same time, the directory /pub/Owl/current/unofficial is retired
(removed from the FTP mirrors).
The most recent Owl-current binary packages for SPARC architecture have been
made available under /pub/Owl/current/sparc on the
FTP mirrors.
(Previously, only Owl 2.0 release and older packages were available pre-built
for SPARC.)
September 8, 2006
There's an updated version of our
portable PHP password hashing framework.
The framework test program has been enhanced in numerous ways and a minor
bug (that had no practical impact) in the framework itself has been fixed.
May 27, 2006
We have started making and maintaining commercial releases of John the Ripper,
known as
John the Ripper Pro.
John the Ripper
Pro builds upon the free John the Ripper to deliver
a commercial product better tailored for specific operating systems.
It is distributed primarily in the form of "native" packages for
the target operating systems.
May 23, 2006
New versions of
popa3d (1.0.2) and
crypt_blowfish (1.0.2)
have been released adding minor optimizations specific to x86-64.
May 21, 2006
John the Ripper 1.7.2 ("development")
adds bitslice DES code for x86-64
making use of the 64-bit mode extended SSE2 with 16 XMM registers.
May 11, 2006
John the Ripper 1.7.1 ("development")
has been released including
bitslice DES code for x86 with SSE2 for better performance at
DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors,
as well as assorted high-level changes to improve performance on current
x86-64 processors.
April 23, 2006
Owl has been ported to the x86-64 architecture.
The latest Owl-current binary packages for x86-64 have been made available
under /pub/Owl/current/x86_64 on the
FTP mirrors.
Currently, these packages have to be installed off a system that is already
running an x86-64 build of the Linux kernel.
We're planning to create and make available a bootable CD image for x86-64
a bit later.
March 25, 2006
The
Owl
2.0-stable
branch will now be made available on the
FTP mirrors.
The changes since Owl 2.0 so far include security and bug fix updates to
tar, GnuPG, and John the Ripper.
March 23, 2006
It is now possible to
purchase a download of a compressed ISO image of our
wordlists collection CD
instead of placing an order for the physical CD.
This may be preferable if you would like to gain access to
the entire CD content immediately
or if it is inconvenient for you to receive the CD by mail.
John the Ripper 1.7.0.2 is out adding a fix for a
long-standing bug in the rule preprocessor which caused some duplicate
characters to not be omitted on 64-bit platforms.
The contributed
netlist program listed on the
Openwall Linux kernel patch homepage
has been updated to version 2.1,
featuring support for Linux 2.6.x kernels and better performance.
netlist is a tool for users to list their own
active Internet connections and sockets,
especially when access to the /proc filesystem is restricted.
March 10, 2006
There's a new "stable" version of
John the Ripper (1.7.0.1).
Changes made since the 1.7 release are limited to
minor bug and portability fixes,
better handling of certain uncommon scenarios and improper uses of John,
and the addition of a "keyboard cracker" to the default
john.conf (john.ini) that will try sequences of adjacent keys on a keyboard
as passwords.
Also made available today are minor updates to
popa3d (1.0.1),
scanlogd (2.2.6), and
crypt_blowfish (1.0.1)
needed for compiling with glibc 2.3.90+ C header files (no CLK_TCK).
February 23, 2006
SecurityFocus has published an
interview with Solar Designer on John the Ripper 1.7.
Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.
The contributed resources list on
John the Ripper homepage has been updated to include
a jumbo patch for version 1.7 and a package of 1.7 with the jumbo patch
applied pre-compiled for Win32.
The jumbo patch enables processing of many password hash types and ciphers
that are not supported by the official JtR.
February 15, 2006
After many public Owl-current snapshots,
Openwall GNU/*/Linux 2.0 is finally out.
Owl 2.0 is available for
purchase on a CD
as well as for download off the
mirrors.
The
major changes made since 1.1
are documented.
Owl 2.0 is built around Linux kernel 2.4.32-ow1, glibc 2.3.6 (with our
security enhancements), gcc 3.4.5,
and recent versions of over 100 other packages.
It offers binary- and package-level compatibility for most packages
intended for Red Hat Enterprise Linux 4 (RHEL4) and Fedora Core 3 (FC3),
as well as for many FC4 packages.
January 26, 2006
The long-awaited
John the Ripper 1.7 release is out.
The changes made since the last development snapshot (1.6.40) are minor
(it's primarily the availability of official Win32 and DOS builds, in
addition to the source code for Unix systems), however the
changes made since 1.6 are substantial.
January 22, 2006
There's a new ISO-9660 image of
Owl-current.
The following packages have been significantly updated since the last
ISO snapshot (December 8, 2005):
man-pages (including the addition of POSIX man pages), Postfix,
John the Ripper, VIM, libnet, libnids, chkconfig, db4, gcc, man, hdparm,
diffstat, tcb, Linux-PAM, dialog, glibc, bash, Nmap, libutempter, strace,
and the installer (owl-setup).
January 15, 2006
A new version of
pam_mktemp (1.0.2) is out.
pam_mktemp can now be compiled on systems with Linux 2.6.x kernel headers
(as well as with older kernel versions).
January 5, 2006
Damien Miller has developed and contributed
a plugin password strength checker for OpenBSD based on pam_passwdqc.
This plugin is now linked from the contributed resources list on the
pam_passwdqc web page.
January 3, 2006
The first "mature" version of our password hashing package,
crypt_blowfish 1.0, is out.
This version corrects a bug in the way salts for extended DES-based and for
MD5-based password hashes are generated with the crypt_gensalt*() family
of functions (thanks to Marko Kreen for discovering and reporting this).
The bug would result in a higher than expected number of matching salts
with large numbers of password hashes of the affected types.
crypt_gensalt*()'s functionality for Blowfish-based (bcrypt) hashes
that crypt_blowfish itself implements and for traditional DES-based
crypt(3) hashes was not affected.
December 29, 2005
The
tcb suite
implementing our alternative password shadowing scheme
became mature enough for its 1.0 release.
New with this release are support for OpenPAM (on Linux)
and support for the new interfaces provided by Linux-PAM 0.99.1.0 and above.
Older versions of Linux-PAM continue to be supported, too.
December 24, 2005
The most recent Owl-current binary packages for Alpha architecture (EV56 and
above) have been made available under /pub/Owl/current/alphaev56 on the
FTP mirrors.
(Previously, only Owl 1.1 release packages were available pre-built for Alpha.)
December 17, 2005
A new development version of
John the Ripper (1.6.40) is out, including updated
charset files, password.lst (the common passwords list), and a new
pre-defined "incremental" mode "Alnum" (for alphanumeric).
Many enhancements to the code have been made, including to
the handling of hex-encoded hashes (such as LM hashes),
the Makefile,
the "p" (pluralize) wordlist rules command,
unafs, and
charset files handling.
A few bugs have been fixed, too.
December 9, 2005
There's a new ISO-9660 image of
Owl-current.
The following components have been significantly updated since the last
ISO snapshot (September 13, 2005):
util-linux, findutils, CVS, tcsh, OpenSSL, RPM, elfutils-libelf, SILO,
setarch (replaces sparc32), kbd, LILO, m4, net-tools, coreutils, zlib,
strace, file, SysVinit, modutils, Linux-PAM, procmail, Postfix, Nmap,
glibc, sed, patch, quota, tar, traceroute, grep, cpio, libpcap, GnuPG,
vsftpd, Perl, the installer (owl-setup), and the Linux kernel.
The following new packages have been added:
CDK, BIND, OpenNTPD, tinycdb, PCRE, indent.
December 7, 2005
Additional contributed patches are now listed on
John the Ripper homepage, adding support for
Post.Office MD5-based hashes and Lotus Domino salted hashes.
November 8, 2005
The most recent Owl-current binary packages for SPARC architecture have been
made available under /pub/Owl/current/sparc on the
FTP mirrors.
(Previously, only Owl 1.1 release packages were available pre-built for SPARC.)
September 13, 2005
A new development version of
John the Ripper (1.6.39) is out, including the updated
documentation and more.
There's a new ISO-9660 image of
Owl-current featuring an
initial version of our new installer.
Other packages significantly updated since the last ISO snapshot
(July 3, 2005) include:
LILO, OpenSSH, mtree, strace, Postfix, sysklogd, libutempter, Linux-PAM,
SimplePAMApps, tcb, procps, and John the Ripper.
July 3, 2005
A new ISO-9660 image of
Owl-current has been made available
via the
FTP mirrors.
May 26, 2005
popa3d 1.0 is out.
The
changes
since the previous release (0.6.4.1) are minimal.
May 12, 2005
Linux 2.4.30-ow3 is out, adding a fix to the
ELF core dump vulnerability discovered by Paul Starzetz and more.
May 11, 2005
A new development version of
John the Ripper (1.6.38) is out, featuring official
AltiVec support (on Mac OS X and Linux/PPC) and better performance at LM
hashes (on most modern systems).
April 19, 2005
Three of our PAM modules became mature enough for their 1.0 releases.
These are
pam_passwdqc,
pam_userpass, and
pam_mktemp.
All three have existed since Y2K and are part of several OS distributions.
April 16, 2005
We're making available unofficial/unsupported packages for use of
Owl-current on a workstation.
These packages can be found under /pub/Owl/current/unofficial on the
FTP mirrors.
Included are unofficial rebuilds of some Fedora Rawhide packages:
X.org X11, Blackbox, WindowMaker, Firefox;
GTK 2 and other X and graphics libraries;
Python, tcl, tk, tix;
various small packages.
Also included are OpenOffice.org packages which are known to install and
work on Owl-current with the Fedora packages already installed.
Please note that Owl is intended for use on servers only.
Its use on a workstation will likely only make sense for Owl developers
and contributors who might want to test cutting-edge Owl updates on their
immediate computers.
Read the full announcement here.
March 6, 2005
A new ISO-9660 image of
Owl-current has been made available
via the
FTP mirrors.
January 20, 2005
Linux 2.4.29-ow1 is out.
Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes.
Owl-current has been updated to GCC 3.4.3 and glibc 2.3.3+.
Please refer to the
change log for information on this
and other recent updates.
November 26, 2004
The contributed resources list on
John the Ripper homepage has been revised, adding
patches which provide support for cracking Kerberos v5 TGTs, Netscape
LDAP SSHA (salted), Apache MD5-based "apr1", and raw MD5 (hex-encoded)
hashes, and a patch for taking advantage of PowerPC w/ AltiVec (128-bit)
under Mac OS X for much better performance at DES-based hashes.
November 20, 2004
Linux 2.4.28-ow1 is out.
Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs.
November 3, 2004
After more than two months of active development, we're pleased to make
available a new snapshot of
Owl-current based around newer versions of glibc and RPM.
Many other updates to Owl packages, build environment, and documentation
have been made as well, please refer to the
change log for information on the
more important ones.
This update will permit for installation of packages from or intended for
newer versions of Red Hat Linux, including commercial/closed-source ones,
on Owl.
August 4, 2004
Linux 2.4.26-ow3 is out.
This corrects the access control check in the Linux kernel
which previously wrongly allowed any local user to change the group
ownership of arbitrary NFS-exported/imported files (CAN-2004-0497)
and adds a workaround for the file offset pointer races discovered by
Paul Starzetz (CAN-2004-0415).
June 19, 2004
Linux 2.4.26-ow2 is out.
This update fixes multiple security-related bugs in the Linux kernel
(those discovered by Al Viro using "Sparse",
fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others)
as well as two non-security bugs in the patch itself.
Please refer to the
announcement
for detailed information on the changes.
June 6, 2004
We've setup a
CVSweb server
which provides convenient access to the entire
Openwall GNU/*/Linux (Owl)
CVS tree including source code for Owl and consequently also for
most other pieces of Openwall software which are now maintained
as part of Owl but are also made available separately.
The CVSweb server allows the more experienced users and other software
developers to easily browse through revision history and compare
different versions of any source file that we've been working on.
June 3, 2004
There's a new version of the port scan detection tool,
scanlogd 2.2.4.
This has many minor code cleanups and enhancements, and includes RPM
spec file and startup script directly usable on Red Hat Linux and on
other compatible distributions.
April 26, 2004
A new version of the password hashing package,
crypt_blowfish 0.4.6, has been released.
This adds a patch for easy integration of crypt_blowfish into glibc
versions 2.2 through 2.3.2 (as well as 2.1 through 2.1.3 which were
supported previously).
Other minor updates are included as well.
February 23, 2004
There's a new development version of
John the Ripper (1.6.37)
which adds support for Linux/x86-64 (both 32-bit with MMX and native 64-bit)
and OpenBSD/x86 with ELF binaries (previously only older versions of OpenBSD
which still used a.out binaries were fully supported).
February 21, 2004
Linux 2.2.25-ow2 is out and includes workarounds and
fixes for several Linux kernel vulnerabilities.
Upgrading of existing Linux 2.2.x installs is strongly recommended.
February 20, 2004
Linux 2.4.25-ow1 is out.
Upgrading of existing 2.4.23-ow2 and 2.4.24-ow1 installs is not strictly
required for most users.
January 8, 2004
Linux 2.4.24-ow1 is out.
Upgrading of existing 2.4.23-ow2 installs is not required.
November 2, 2003
New versions of the
PAM modules are available,
including
pam_passwdqc 0.7.5.
pam_passwdqc will now assume invocation by root only if both the UID is 0
and the PAM service name is "passwd";
this should fix changing expired passwords on Solaris and HP-UX
and make "enforce=users" safe.
The proper English explanations of requirements for strong passwords
will now be generated for a wider variety of possible settings.
October 10, 2003
An extensive
wordlists collection
with wordlists for 20+ human languages and lists of common passwords
is now available for download or purchase on a CD.
September 15, 2003
There's a new development version of
John the Ripper
featuring an event logging framework.
John now logs how it proceeds through stages of each of its cracking modes.
July 6, 2003
Linux 2.4.21-ow2 is out and adds fixes for two
Linux kernel vulnerabilities recently discovered by Paul Starzetz.
April 27, 2003
msulogin is now available separately from Owl.
msulogin is an implementation of
sulogin single user mode login
program which adds support for having multiple root accounts on a system.
March 10, 2003
popa3d 0.6.2 corrects the rate limiting of a log
message (problem spotted by Michael Tokarev) and provides documentation
updates, including a
change log to
which you can refer for more detailed information on the changes.
March 4, 2003
popa3d 0.6.1 adds version identification (popa3d -V)
and more correct logging of abnormally terminated POP3 sessions.
February 22, 2003
There's a new stable release of
popa3d, version 0.6.
Changes since the last stable release (0.5.1) are limited to bug,
correctness, and interoperability fixes (this includes a workaround for an
Outlook Express client bug which would show up on body-less messages).
January 11, 2003
The
PAM modules and the
tcb suite
that were originally developed for
Owl are now also
conveniently linked from this website.
December 16, 2002
A popa3d Maildir support patch has been added to the contributed patches
list on the
popa3d homepage.
December 5, 2002
Linux 2.2.23-ow1 is out.
It is now possible to run
John the Ripper on OpenVMS (both Alpha and VAX)
targeting any of the supported hash types, and to crack OpenVMS passwords
(SYSUAF.DAT) when running on any of the supported platforms, due to
patches and VMS executables contributed by
Jean-loup Gailly.
November 27, 2002
Linux 2.2.22-ow2
improves the "lcall" DoS fix for the Linux kernel to cover the
NT (Nested Task) flag attack discovered by Christophe Devine.
November 14, 2002
BIND 4.9.10-OW2 includes the patch provided by ISC
for the recently discovered vulnerabilities in BIND 4 and 8.
October 15, 2002
After over a year of development and many public Owl-current snapshots,
Owl 1.0 is finally out.
October 1, 2002
BIND 4.9.10 and
4.9.10-OW1
have been released and fix a read beyond end
of buffer vulnerability in the resolver library. The impact is believed
to be very minor (if any). The DNS server itself (named) is unaffected.
September 10, 2002
Linux 2.2.21-ow2 includes many security fixes for
issues with the Linux kernel discovered during code reviews by Silvio Cesare,
Solar Designer, and others.
July 31, 2002
A new version of the password strength checking PAM module
pam_passwdqc 0.6 has been released and offers
support for HP-UX 11 (in addition to Linux, FreeBSD, and Solaris) and
a pam_passwdqc(8) manual page (imported back from FreeBSD).
June 29, 2002
Updated
BIND 4.9.x patches have been released to
correct the recently discovered vulnerability in the resolver library
code included with BIND.
April 18, 2002
New versions of
pam_passwdqc, the password
strength checking PAM module, and
popa3d, the
POP3 server, are available. pam_passwdqc 0.5 adds support for OpenPAM
as found on FreeBSD-current, thanks to Dag-Erling Smorgrav. It also
became part of FreeBSD. popa3d 0.5.1 changes the way unique IDs are
generated.
March 3, 2002
Linux 2.2.20-ow2 fixes an x86-specific vulnerability
in the Linux kernel discovered by Stephan Springl
where local users could abuse a binary compatibility interface (lcall)
to kill processes not belonging to them (including system processes).
November 4, 2001
pam_passwdqc version 0.4 has been released.
This version adds support for Solaris with native pam_unix.
October 28, 2001
There's a new stable release of
popa3d, version 0.5.
This has all of the features added in post-0.4 development versions plus a
man page.
October 18, 2001
Linux 2.2.19-ow3
fixes two Linux kernel vulnerabilities discovered by Rafal Wojtczuk.
Please refer to the
Owl change log for
information on the vulnerabilities and how they affect
Owl.
Of the two newly discovered vulnerabilities, Linux 2.0.39-ow3 is only affected
by the DoS.
September 11, 2001
popa3d 0.4.9.4 fixes two bugs introduced with
recent development versions (oops). Please update.
September 8, 2001
popa3d 0.4.9.3 now runs parts of its code in a
chroot jail. It also adds certain bits of functionality that previously were
missing or available as third-party patches only. Please test and report any
problems you might have with this development version, especially on less
common platforms, as popa3d is approaching a stable release.
August 6, 2001
We've updated our security advisory on
Passive Analysis of SSH (Secure Shell) Traffic with additional
vendor fix information for TTSSH and for affected Cisco products.
The updated advisory includes a bugfixed and improved version of
SSHOW, the tiny SSH traffic analysis tool we use to demonstrate the attacks.
June 29, 2001
We've started maintaining a stable branch of
Owl,
based on Owl 0.1-prerelease. This branch will have all significant
reliability and security fixes necessary to use Owl in production -
even before its feature set is complete for it to be called 1.0.
Another recent addition is the OpenBSD-like change logs for both the
current and the
stable branch.
June 20, 2001
popa3d 0.4.9.1 has been released. The license
for the entire package has been relaxed, and popa3d should be smaller
and more portable now. This is due to the new MD5 routines.
May 28, 2001
popa3d 0.4.9 is available for testing. Expect
a new stable release soon.
May 12, 2001
After months of development we're making public a prerelease of
Owl, our security-enhanced server platform with
Linux and
GNU software as its core.
May 10, 2001
A new version of the password hashing package,
crypt_blowfish 0.4, has been released.
It adds two functions and a manual page describing the programming
interfaces, including on systems based on the GNU C Library with
crypt_blowfish patched into libcrypt.
April 19, 2001
A new development version of
John the Ripper (1.6.24-dev)
adds a cracker for passwords you might have generated with Strip 0.5.
The cracker
is implemented in john.conf as an "external mode" and will try all passwords
Strip could generate with all possible settings. Other uses of Strip are
unaffected. The cracker is based on analysis by Thomas Roessler and
Ian Goldberg.
March 26, 2001
Linux 2.2.19-ow1 and 2.0.39-ow3 have been released.
Please upgrade to at least one of these versions of the kernel/patch as
Linux 2.2.19 is an important security update.
March 19, 2001
We've just published a security advisory entitled
Passive Analysis of SSH (Secure Shell) Traffic.
This advisory demonstrates several weaknesses in implementations of
SSH (Secure Shell) protocols. When exploited, they let the attacker
obtain sensitive information by passively monitoring encrypted SSH
sessions. Fix information, patches to reduce the impact of traffic analysis,
and a tool to demonstrate the attacks are provided.
February 9, 2001
Updated
Linux kernel patches have been released,
which include fixes for the two recently announced Linux kernel
vulnerabilities, both of which can result in a local root compromise.
January 29, 2001
Updated
BIND 4.9.x patches have been released, which
include fixes for the recently discovered BIND vulnerabilities.
385933