Openwall Project
bringing security into open environments

July 18, 2008
John the Ripper 1.7.3.1 (another "development" version) is out. This is a minor update, which corrects the x86 assembly files for building on Mac OS X and adds some generic changes from JtR Pro.

July 16, 2008
There's a beta version of John the Ripper Pro 1.7.3.1 for Mac OS X included with every new purchase (and free for everyone who has purchased the product in the past). Similarly to JtR Pro for Linux, besides the update to 1.7.3+, this version adds official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes, and it includes native support for 64-bit capable Intel CPUs on Mac OS X 10.5+ (Leopard) within the Universal binary, which makes use of 64-bit mode extended SSE2. Also included is the brand new XPWDUMP tool, which dumps password hashes from Mac OS X systems for subsequent auditing/cracking. As a bonus, the full source code is also provided (it was not provided with 1.7.2 Pro for Mac OS X, the focus of which was on packaging, but with so many exciting new features, we're also being generous and we do share the revised and enhanced source code this time, including several added source files).

July 13, 2008
John the Ripper Pro 1.7.3 for Linux is out. Besides the update to 1.7.3 (and thus including all of the improvements of that version in a well-tested native package), new with this release is official support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes. Also included is a pre-built RPM package for 64-bit capable systems, which makes use of 64-bit mode extended SSE2. This is a free upgrade for everyone who has purchased the product in the past.

July 10, 2008
John the Ripper 1.7.3 (a "development" version) is out, focusing on better x86-64 support. Most notably, two Blowfish-based crypt(3) hashes may now be computed in parallel for much better performance on x86-64 CPUs, and new make targets have been added for Mac OS X 10.5+ (Leopard) and recent versions of Solaris on 64-bit capable x86 processors, producing 64-bit builds that make use of the 64-bit mode extended SSE2. As a bonus, "DumbForce" and "KnownForce" external mode samples have been added to the default john.conf.

June 8, 2008
A patched version of mod_auth_mysql with support for phpass portable hashes has been added to the contributed resources list on the phpass homepage. This was indirectly contributed by Nikolay.

June 7, 2008
The section on password recovery has been updated with information on recent ElcomSoft product changes. The most notable changes are as follows:

Enterprise Edition of Advanced Office Password Breaker now includes a DVD with pre-computed hash tables ("rainbow tables"), which enables it to unlock 99.5% of Word documents in less than a minute. Enterprise Edition of Advanced PDF Password Recovery now includes revised pre-computed hash tables on the DVD (improving upon the "rainbow tables" technique), for 100% success rate at recovering "40-bit" PDF passwords in a matter of minutes. Professional Edition of Advanced EFS Data Recovery is now able to locate master and private keys in deleted files, and often also on re-formatted disks and overwritten Windows installs, scanning the disk sector-by-sector and using patterns to locate the keys.

May 2, 2008
We've just setup the Openwall community wiki. The idea is to have a wiki "namespace" for each of our major projects, maybe resembling the structure of the main Openwall website - e.g., we have namespaces for Owl and John the Ripper. Users of our software and Openwall team members can populate those namespaces with relevant content. If you have something relevant to share, please register for a wiki account and edit away!

April 21, 2008
Revision 12 of the jumbo patch for John the Ripper 1.7.2 is out, adding support for HMAC-MD5 (by bartavelle), LMv2 challenge/response (by JoMo-Kun), half-of-LM-response (by Dhirendra Singh Kholia), EPiServer SID hashes (by Johannes Gumbel), and md5(md5($password) . $salt) as commonly used in PHP applications (by Albert Veli). This revision also includes a much faster implementation of old MySQL hashes (by Balázs Bucsay and Péter Kasza).

April 17, 2008
We've setup a new web page on Openwall user communities, hosted community resources, and community involvement and activities (as well as a sub-page on the xvendor mailing list).

April 12, 2008
Solar Designer of Openwall has participated in an IBM-organized Global Innovation Outlook (GIO) "deep dive" on Security and Society (a day long brainstorming session, with only short coffee breaks and a lunch break). This dive was held on April 10 (with a welcome dinner the day before) in a fine 5-star hotel in the heart of Moscow. Five more dives on the topic are to follow in other cities around the world, then IBM is to publish a report. Meanwhile, you can find detailed reports on past GIO topics on the IBM website section dedicated to the GIO initiative, as well as read and comment on the GIO blog (maintained by Dan Briody).

We have joined the oCERT project (the Open Source Computer Emergency Response Team), in two ways: Solar Designer serves on the advisory board of oCERT (since February), and Openwall is a registered public member of oCERT such that we can be sure to receive notification of vulnerabilities pertaining to our software (and, far more likely, to third-party software that we redistribute as a part of Openwall GNU/*/Linux) that will be handled via oCERT. Other Open Source projects are welcome to register with oCERT, too. (We're also a member of oss-security and vendor-sec, and are registered with the CERT/CC.)

April 3, 2008
A cut-down and reworked version of our PHP password hashing framework (phpass) has been integrated into development versions of Drupal leading to the upcoming Drupal 7 release. There's also a module for Drupal 5 & 6 that makes the original phpass available with those versions of Drupal. More information is available on the phpass homepage.

March 1, 2008
A couple of weeks ago, we have setup the Open Source Software Security (oss-security) Wiki, which is the counterpart to the oss-security mailing list, and we have the initial content in place by now. Both the wiki and the mailing list are a product of cooperation amongst various Open Source software vendors, projects, and researchers. The purpose of the oss-security group is to encourage public discussion of security flaws, concepts, and practices in the Open Source community.

February 17, 2008
Archives of two Openwall-hosted community mailing lists, oss-security and xvendor, are now available on this website.
oss-security is a new discussion and collaboration mailing list for people involved with Open Source projects who care about security. xvendor is a very low volume list for information exchange between Unix-like OS distribution vendors (mostly Linux), and it has existed since 2002.

February 13, 2008
A new minor release of pam_passwdqc - version 1.0.5 - is out. In this version, the separator characters (used for randomly generated "passphrases") have been replaced with some of those defined by RFC 3986 as being safe within "userinfo" part of URLs without encoding, the default minimum length for passphrases has been reduced from 12 to 11 characters, and corrections to the documentation have been made.

February 12, 2008
Alexander Chemeris has contributed a Python module port of phpass 0.1, allowing for phpass portable hashes to be checked from Python applications. The module is linked from the contributed resources list on the phpass homepage.

December 15, 2007
Three popular web applications - phpBB3 (3.0.0 release), WordPress, and bbPress (current development versions) - have integrated our PHP password hashing framework (phpass) to provide more secure "storage" of users' passwords (of course, the passwords are not actually stored; the hashes are). Additionally, there's a module for Drupal 5 and patches for various development versions of Drupal to make use of phpass. The links for these may be found at the bottom of the phpass homepage.

November 14, 2007
Revision 9 of the jumbo patch for John the Ripper 1.7.2 is out, adding support for MySQL 4.1+ hashes based on SHA-1 (by Marti Raudsepp) and for Oracle hashes based on DES (by Simon Marechal). This revision also improves the performance at Mac OS X 10.4+ salted SHA-1 hashes for the multi-salt case.

October 30, 2007
Revision 8 of the jumbo patch for John the Ripper 1.7.2 is out. This revision adds support for Mac OS X 10.4+ salted SHA-1 hashes, as well as for two MS SQL hash types.

August 14, 2007
Linux 2.4.35-ow2 is out, including a fix for the parent process death signal vulnerability in the Linux kernel and two new security hardening features.

August 7, 2007
Linux 2.4.35-ow1 is out.

June 6, 2007
There's a new ISO-9660 image of Owl-current. The following packages have been significantly updated since the last ISO snapshot (January 9, 2007): PCRE, strace, BIND, OpenSSL, GnuPG, lftp, ELinks, file, Mutt, owl-cdrom. New with this ISO is support for booting off SATA and USB CD-ROM drives, in addition to IDE and SCSI ones (which were supported previously). (Obviously, not all SATA and SCSI controllers are supported, but the goal is to include support for common ones.)

JoMo-Kun has contributed a patch to add support for cracking of sniffed LM/NTLMv1 challenge/response exchanges to John the Ripper. The patch is now listed on John the Ripper homepage and it is a part of the latest revision of the jumbo patch for John the Ripper 1.7.2.

March 20, 2007
Alain Espinosa's NTLM (MD4-based) hashes support patch for John the Ripper has been further updated to include optional SSE2 code for x86 and x86-64, resulting in even better performance.

March 4, 2007
John the Ripper Pro is now available for Mac OS X on both PowerPC and Intel Macs, making use of AltiVec and SSE2 acceleration, respectively.

February 25, 2007
The NTLM (MD4-based) and Windows credentials cache hashes support patches for John the Ripper linked from the contributed resources list on the John the Ripper homepage have been replaced with much faster (yet portable) implementations contributed by Alain Espinosa.

January 13, 2007
The Owl build environment has been enhanced to automate the generation of ISO-9660 images of Owl bootable CDs. This should enable us to put out updated ISOs of Owl-current more often, and we have just made one available under /pub/Owl/current/iso on the FTP mirrors. The following packages have been significantly updated since the 2.0 release, listed in order of first change: tar, bash, coreutils, sed, iptables, John the Ripper, Nmap, GnuPG, Postfix, setarch, netlist, gettext, db4, lftp, vixie-cron, Perl, acct, readline, chkconfig, vsftpd, BIND, bison, libtool, make, Linux-PAM, e2fsprogs, which, automake, patchutils, hdparm, Mutt, OpenSSL, gpm, gzip, the DHCP suite, OpenSSH, screen, texinfo, RPM, the installer (owl-setup), and the Linux kernel. The following new packages have been added: smartmontools and mkisofs. Additionally, with the updated build environment (that is a part of Owl as released to the public), Owl users will be able to generate their own Owl ISOs.

December 27, 2006
Linux 2.4.34-ow1 is out.

October 29, 2006
We're starting to make available contributed Owl packages under /pub/Owl/contrib on the FTP mirrors. So far, 60+ packages for Owl 2.0 and 2.0-stable have been contributed by op5 AB. Please note that none of these packages are officially supported by the Openwall team. At the same time, the directory /pub/Owl/current/unofficial is retired (removed from the FTP mirrors).

The most recent Owl-current binary packages for SPARC architecture have been made available under /pub/Owl/current/sparc on the FTP mirrors. (Previously, only Owl 2.0 release and older packages were available pre-built for SPARC.)

September 8, 2006
There's an updated version of our portable PHP password hashing framework. The framework test program has been enhanced in numerous ways and a minor bug (that had no practical impact) in the framework itself has been fixed.

August 16, 2006
Linux 2.4.33-ow1 is out.

July 2, 2006
We've setup local web-based archives of Openwall mailing lists.

May 27, 2006
We have started making and maintaining commercial releases of John the Ripper, known as John the Ripper Pro.

John the Ripper Pro builds upon the free John the Ripper to deliver a commercial product better tailored for specific operating systems. It is distributed primarily in the form of "native" packages for the target operating systems.

May 23, 2006
New versions of popa3d (1.0.2) and crypt_blowfish (1.0.2) have been released adding minor optimizations specific to x86-64.

May 21, 2006
John the Ripper 1.7.2 ("development") adds bitslice DES code for x86-64 making use of the 64-bit mode extended SSE2 with 16 XMM registers.

May 11, 2006
John the Ripper 1.7.1 ("development") has been released including bitslice DES code for x86 with SSE2 for better performance at DES-based crypt(3) hashes on Pentium 4 and SSE2-capable AMD processors, as well as assorted high-level changes to improve performance on current x86-64 processors.

April 24, 2006
The SecurityFocus interview with Solar Designer on John the Ripper 1.7 is now available off the Openwall website.

April 23, 2006
Owl has been ported to the x86-64 architecture. The latest Owl-current binary packages for x86-64 have been made available under /pub/Owl/current/x86_64 on the FTP mirrors. Currently, these packages have to be installed off a system that is already running an x86-64 build of the Linux kernel. We're planning to create and make available a bootable CD image for x86-64 a bit later.

March 25, 2006
The Owl 2.0-stable branch will now be made available on the FTP mirrors. The changes since Owl 2.0 so far include security and bug fix updates to tar, GnuPG, and John the Ripper.

March 23, 2006
It is now possible to purchase a download of a compressed ISO image (179 MB, $27.95) of our wordlists collection CD instead of placing an order for the physical CD. This may be preferable if you would like to gain access to the entire CD content immediately or if it is inconvenient for you to receive the CD by mail.

John the Ripper 1.7.0.2 is out adding a fix for a long-standing bug in the rule preprocessor which caused some duplicate characters to not be omitted on 64-bit platforms.

The contributed netlist program listed on the Openwall Linux kernel patch homepage has been updated to version 2.1, featuring support for Linux 2.6.x kernels and better performance. netlist is a tool for users to list their own active Internet connections and sockets, especially when access to the /proc filesystem is restricted.

March 10, 2006
There's a new "stable" version of John the Ripper (1.7.0.1). Changes made since the 1.7 release are limited to minor bug and portability fixes, better handling of certain uncommon scenarios and improper uses of John, and the addition of a "keyboard cracker" to the default john.conf (john.ini) that will try sequences of adjacent keys on a keyboard as passwords.

Also made available today are minor updates to popa3d (1.0.1), scanlogd (2.2.6), and crypt_blowfish (1.0.1) needed for compiling with glibc 2.3.90+ C header files (no CLK_TCK).

February 23, 2006
SecurityFocus has published an interview with Solar Designer on John the Ripper 1.7. Federico Biancuzzi interviews Solar Designer, creator of the popular John the Ripper password cracker. Solar Designer discusses what's new in version 1.7, the advantages of popular cryptographic hashes, the relative speed at which many passwords can now be cracked, and how one can choose strong passphrases (forget passwords) that are harder to break.

The contributed resources list on John the Ripper homepage has been updated to include a jumbo patch for version 1.7 and a package of 1.7 with the jumbo patch applied pre-compiled for Win32. The jumbo patch enables processing of many password hash types and ciphers that are not supported by the official JtR.

February 15, 2006
After many public Owl-current snapshots, Openwall GNU/*/Linux 2.0 is finally out. Owl 2.0 is available for purchase on a CD as well as for download off the mirrors. The major changes made since 1.1 are documented.

Owl 2.0 is built around Linux kernel 2.4.32-ow1, glibc 2.3.6 (with our security enhancements), gcc 3.4.5, and recent versions of over 100 other packages. It offers binary- and package-level compatibility for most packages intended for Red Hat Enterprise Linux 4 (RHEL4) and Fedora Core 3 (FC3), as well as for many FC4 packages.

January 26, 2006
The long-awaited John the Ripper 1.7 release is out. The changes made since the last development snapshot (1.6.40) are minor (it's primarily the availability of official Win32 and DOS builds, in addition to the source code for Unix systems), however the changes made since 1.6 are substantial.

January 22, 2006
There's a new ISO-9660 image of Owl-current. The following packages have been significantly updated since the last ISO snapshot (December 8, 2005): man-pages (including the addition of POSIX man pages), Postfix, John the Ripper, VIM, libnet, libnids, chkconfig, db4, gcc, man, hdparm, diffstat, tcb, Linux-PAM, dialog, glibc, bash, Nmap, libutempter, strace, and the installer (owl-setup).

January 15, 2006
A new version of pam_mktemp (1.0.2) is out. pam_mktemp can now be compiled on systems with Linux 2.6.x kernel headers (as well as with older kernel versions).

January 5, 2006
Damien Miller has developed and contributed a plugin password strength checker for OpenBSD based on pam_passwdqc. This plugin is now linked from the contributed resources list on the pam_passwdqc web page.

January 3, 2006
The first "mature" version of our password hashing package, crypt_blowfish 1.0, is out.

This version corrects a bug in the way salts for extended DES-based and for MD5-based password hashes are generated with the crypt_gensalt*() family of functions (thanks to Marko Kreen for discovering and reporting this). The bug would result in a higher than expected number of matching salts with large numbers of password hashes of the affected types. crypt_gensalt*()'s functionality for Blowfish-based (bcrypt) hashes that crypt_blowfish itself implements and for traditional DES-based crypt(3) hashes was not affected.

December 29, 2005
The tcb suite implementing our alternative password shadowing scheme became mature enough for its 1.0 release. New with this release are support for OpenPAM (on Linux) and support for the new interfaces provided by Linux-PAM 0.99.1.0 and above. Older versions of Linux-PAM continue to be supported, too.

December 24, 2005
The most recent Owl-current binary packages for Alpha architecture (EV56 and above) have been made available under /pub/Owl/current/alphaev56 on the FTP mirrors. (Previously, only Owl 1.1 release packages were available pre-built for Alpha.)

December 17, 2005
A new development version of John the Ripper (1.6.40) is out, including updated charset files, password.lst (the common passwords list), and a new pre-defined "incremental" mode "Alnum" (for alphanumeric). Many enhancements to the code have been made, including to the handling of hex-encoded hashes (such as LM hashes), the Makefile, the "p" (pluralize) wordlist rules command, unafs, and charset files handling. A few bugs have been fixed, too.

December 9, 2005
There's a new ISO-9660 image of Owl-current. The following components have been significantly updated since the last ISO snapshot (September 13, 2005): util-linux, findutils, CVS, tcsh, OpenSSL, RPM, elfutils-libelf, SILO, setarch (replaces sparc32), kbd, LILO, m4, net-tools, coreutils, zlib, strace, file, SysVinit, modutils, Linux-PAM, procmail, Postfix, Nmap, glibc, sed, patch, quota, tar, traceroute, grep, cpio, libpcap, GnuPG, vsftpd, Perl, the installer (owl-setup), and the Linux kernel. The following new packages have been added: CDK, BIND, OpenNTPD, tinycdb, PCRE, indent.

December 7, 2005
Additional contributed patches are now listed on John the Ripper homepage, adding support for Post.Office MD5-based hashes and Lotus Domino salted hashes.

November 26, 2005
Linux 2.4.32-ow1 is out.

November 8, 2005
The most recent Owl-current binary packages for SPARC architecture have been made available under /pub/Owl/current/sparc on the FTP mirrors. (Previously, only Owl 1.1 release packages were available pre-built for SPARC.)

September 13, 2005
A new development version of John the Ripper (1.6.39) is out, including the updated documentation and more.

There's a new ISO-9660 image of Owl-current featuring an initial version of our new installer. Other packages significantly updated since the last ISO snapshot (July 3, 2005) include: LILO, OpenSSH, mtree, strace, Postfix, sysklogd, libutempter, Linux-PAM, SimplePAMApps, tcb, procps, and John the Ripper.

September 6, 2005
All of John the Ripper documentation has been updated to reflect changes made in the latest development versions. The updated documentation may now be browsed online.

July 14, 2005
We've setup a web page dedicated to Silence on the Wire, Michal Zalewski's excellent book.

July 3, 2005
A new ISO-9660 image of Owl-current has been made available via the FTP mirrors.

June 3, 2005
Linux 2.4.31-ow1 is out.

May 30, 2005
We're making public the initial version of our portable PHP password hashing framework for use in your PHP applications.

May 26, 2005
popa3d 1.0 is out. The changes since the previous release (0.6.4.1) are minimal.

May 12, 2005
Linux 2.4.30-ow3 is out, adding a fix to the ELF core dump vulnerability discovered by Paul Starzetz and more.

May 11, 2005
A new development version of John the Ripper (1.6.38) is out, featuring official AltiVec support (on Mac OS X and Linux/PPC) and better performance at LM hashes (on most modern systems).

April 22, 2005
Many brilliant buttons (80x15, 80x29) are now available for links to the Openwall GNU/*/Linux (Owl) homepage off your blogs and such. This is in addition to the usual microbuttons (88x31). If you're running Owl on a webserver, please do remember to link back to us thereby supporting future development of Owl. In fact, even if you're not running Owl, you're still welcome to link to us, provided that you use other than the "powered" buttons.

April 19, 2005
Three of our PAM modules became mature enough for their 1.0 releases. These are pam_passwdqc, pam_userpass, and pam_mktemp. All three have existed since Y2K and are a part of several OS distributions.

April 16, 2005
We're making available unofficial/unsupported packages for use of Owl-current on a workstation. These packages can be found under /pub/Owl/current/unofficial on the FTP mirrors. Included are unofficial rebuilds of some Fedora Rawhide packages: X.org X11, Blackbox, WindowMaker, Firefox; GTK 2 and other X and graphics libraries; Python, tcl, tk, tix; various small packages. Also included are OpenOffice.org packages which are known to install and work on Owl-current with the Fedora packages already installed.

Please note that Owl is intended for use on servers only. Its use on a workstation will likely only make sense for Owl developers and contributors who might want to test cutting-edge Owl updates on their immediate computers. Read the full announcement here.

April 8, 2005
Linux 2.4.30-ow1 is out.

March 6, 2005
A new ISO-9660 image of Owl-current has been made available via the FTP mirrors.

January 20, 2005
Linux 2.4.29-ow1 is out. Linux 2.4.29, and thus 2.4.29-ow1, adds a number of security fixes.

Owl-current has been updated to GCC 3.4.3 and glibc 2.3.3+. Please refer to the change log for information on this and other recent updates.

November 26, 2004
The contributed resources list on John the Ripper homepage has been revised, adding patches which provide support for cracking Kerberos v5 TGTs, Netscape LDAP SSHA (salted), Apache MD5-based "apr1", and raw MD5 (hex-encoded) hashes, and a patch for taking advantage of PowerPC w/ AltiVec (128-bit) under Mac OS X for much better performance at DES-based hashes.

November 20, 2004
Linux 2.4.28-ow1 is out. Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related bugs.

November 3, 2004
After more than two months of active development, we're pleased to make available a new snapshot of Owl-current based around newer versions of glibc and RPM. Many other updates to Owl packages, build environment, and documentation have been made as well, please refer to the change log for information on the more important ones. This update will permit for installation of packages from or intended for newer versions of Red Hat Linux, including commercial/closed-source ones, on Owl.

August 14, 2004
Linux 2.4.27-ow1 is out.

August 4, 2004
Linux 2.4.26-ow3 is out. This corrects the access control check in the Linux kernel which previously wrongly allowed any local user to change the group ownership of arbitrary NFS-exported/imported files (CAN-2004-0497) and adds a workaround for the file offset pointer races discovered by Paul Starzetz (CAN-2004-0415).

June 19, 2004
Linux 2.4.26-ow2 is out. This update fixes multiple security-related bugs in the Linux kernel (those discovered by Al Viro using "Sparse", fsave/frstor local DoS on x86, infoleak in the e1000 driver, and some others) as well as two non-security bugs in the patch itself. Please refer to the announcement for detailed information on the changes.

June 6, 2004
We've setup a CVSweb server which provides convenient access to the entire Openwall GNU/*/Linux (Owl) CVS tree including source code for Owl and consequently also for most other pieces of Openwall software which are now maintained as a part of Owl but are also made available separately. The CVSweb server allows the more experienced users and other software developers to easily browse through revision history and compare different versions of any source file that we've been working on.

June 3, 2004
There's a new version of the port scan detection tool, scanlogd 2.2.4. This has many minor code cleanups and enhancements, and includes RPM spec file and startup script directly usable on Red Hat Linux and on other compatible distributions.

April 26, 2004
A new version of the password hashing package, crypt_blowfish 0.4.6, has been released. This adds a patch for easy integration of crypt_blowfish into glibc versions 2.2 through 2.3.2 (as well as 2.1 through 2.1.3 which were supported previously). Other minor updates are included as well.

April 17, 2004
Linux 2.4.26-ow1 and 2.0.40-ow1 are out.

April 15, 2004
The Owl 1.1-stable branch will now be made available on the FTP mirrors.

March 1, 2004
Linux 2.2.26-ow1 is out.

February 23, 2004
There's a new development version of John the Ripper (1.6.37) which adds support for Linux/x86-64 (both 32-bit with MMX and native 64-bit) and OpenBSD/x86 with ELF binaries (previously only older versions of OpenBSD which still used a.out binaries were fully supported).

February 21, 2004
Linux 2.2.25-ow2 is out and includes workarounds and fixes for several Linux kernel vulnerabilities. Upgrading of existing Linux 2.2.x installs is strongly recommended.

February 20, 2004
Linux 2.4.25-ow1 is out. Upgrading of existing 2.4.23-ow2 and 2.4.24-ow1 installs is not strictly required for most users.

January 8, 2004
Linux 2.4.24-ow1 is out. Upgrading of existing 2.4.23-ow2 installs is not required.

January 5, 2004
Linux 2.4.23-ow2 is out and adds fixes for two Linux kernel vulnerabilities.

Owl 1.1 is now available for download (as well as for purchase on a CD). Owl 1.1 already includes Linux 2.4.23-ow2 as the kernel.

December 22, 2003
After another year of development and many public Owl-current snapshots, Openwall GNU/*/Linux (Owl) release 1.1 is finally out. Owl 1.1 is currently available for purchase on a CD and will also be made available for download in January. The major changes made since 1.0 are documented.

November 29, 2003
Linux 2.4.23-ow1 is out.

November 2, 2003
New versions of the PAM modules are available, including pam_passwdqc 0.7.5. pam_passwdqc will now assume invocation by root only if both the UID is 0 and the PAM service name is "passwd"; this should fix changing expired passwords on Solaris and HP-UX and make "enforce=users" safe. The proper English explanations of requirements for strong passwords will now be generated for a wider variety of possible settings.

October 10, 2003
An extensive wordlists collection with wordlists for 20+ human languages and lists of common passwords is now available for download or purchase on a CD (also with UPS delivery options).

September 15, 2003
There's a new development version of John the Ripper featuring an event logging framework. John now logs how it proceeds through stages of each of its cracking modes.

August 28, 2003
Linux 2.4.22-ow1 is out.

July 6, 2003
Linux 2.4.21-ow2 is out and adds fixes for two Linux kernel vulnerabilities recently discovered by Paul Starzetz.

June 15, 2003
Linux 2.4.21-ow1 is out.

April 27, 2003
msulogin is now available separately from Owl. msulogin is an implementation of sulogin single user mode login program which adds support for having multiple root accounts on a system.

March 20, 2003
Linux 2.2.25-ow1 is out.

March 10, 2003
popa3d 0.6.2 corrects the rate limiting of a log message (problem spotted by Michael Tokarev) and provides documentation updates, including a change log to which you may refer for more detailed information on the changes.

March 4, 2003
popa3d 0.6.1 adds version identification (popa3d -V) and more correct logging of abnormally terminated POP3 sessions.

February 22, 2003
There's a new stable release of popa3d, version 0.6. Changes since the last stable release (0.5.1) are limited to bug, correctness, and interoperability fixes (this includes a workaround for an Outlook Express client bug which would show up on body-less messages).

February 9, 2003
We're making public the updated Openwall GNU/*/Linux presentation slides as used at FOSDEM, the third Free and Open source Software Developers' European Meeting, on February 8-9, in Brussels, Belgium. There's also the pre-FOSDEM interview with Solar Designer available on the conference website.

January 11, 2003
The PAM modules and the tcb suite that were originally developed for Owl are now also conveniently linked from this website.

December 16, 2002
A popa3d Maildir support patch has been added to the contributed patches list on the popa3d homepage.

December 5, 2002
Linux 2.2.23-ow1 is out.

It is now possible to run John the Ripper on OpenVMS (both Alpha and VAX) targeting any of the supported hash types, and to crack OpenVMS passwords (SYSUAF.DAT) when running on any of the supported platforms, due to patches and VMS executables contributed by Jean-loup Gailly.

November 27, 2002
Linux 2.2.22-ow2 improves the "lcall" DoS fix for the Linux kernel to cover the NT (Nested Task) flag attack discovered by Christophe Devine.

November 14, 2002
BIND 4.9.10-OW2 includes the patch provided by ISC for the recently discovered vulnerabilities in BIND 4 and 8.

October 15, 2002
After over a year of development and many public Owl-current snapshots, Owl 1.0 is finally out.

October 7, 2002
A Russian translation of the Owl documentation and web pages is available.

October 1, 2002
BIND 4.9.10 and 4.9.10-OW1 have been released and fix a read beyond end of buffer vulnerability in the resolver library. The impact is believed to be very minor (if any). The DNS server itself (named) is unaffected.

September 17, 2002
Linux 2.2.22-ow1 is out.

September 10, 2002
Linux 2.2.21-ow2 includes many security fixes for issues with the Linux kernel discovered during code reviews by Silvio Cesare, Solar Designer, and others.

August 30, 2002
It is now possible to order Owl on a CD.

July 31, 2002
A new version of the password strength checking PAM module pam_passwdqc 0.6 has been released and offers support for HP-UX 11 (in addition to Linux, FreeBSD, and Solaris) and a pam_passwdqc(8) manual page (imported back from FreeBSD).

June 29, 2002
Updated BIND 4.9.x patches have been released to correct the recently discovered vulnerability in the resolver library code included with BIND.

May 3, 2002
We're making public the updated Openwall GNU/*/Linux presentation slides as used at CanSecWest/core02 information security conference on May 1-3, in Vancouver, Canada.

April 18, 2002
New versions of pam_passwdqc, the password strength checking PAM module, and popa3d, the POP3 server, are available. pam_passwdqc 0.5 adds support for OpenPAM as found on FreeBSD-current, thanks to Dag-Erling Smorgrav. It also became a part of FreeBSD. popa3d 0.5.1 changes the way unique IDs are generated.

March 3, 2002
Linux 2.2.20-ow2 fixes an x86-specific vulnerability in the Linux kernel discovered by Stephan Springl where local users could abuse a binary compatibility interface (lcall) to kill processes not belonging to them (including system processes).

February 27, 2002
We're making public our NordU2002 presentation slides on Openwall GNU/*/Linux and on SSH Traffic Analysis (which is just an updated version of the HAL2001 presentation).

November 4, 2001
pam_passwdqc version 0.4 has been released. This version adds support for Solaris with native pam_unix.

November 3, 2001
Linux 2.2.20-ow1 has been released.

October 28, 2001
There's a new stable release of popa3d, version 0.5. This has all of the features added in post-0.4 development versions plus a man page.

October 18, 2001
Linux 2.2.19-ow3 fixes two Linux kernel vulnerabilities discovered by Rafal Wojtczuk. Please refer to the Owl change log for information on the vulnerabilities and how they affect Owl. Of the two newly discovered vulnerabilities, Linux 2.0.39-ow3 is only affected by the DoS.

September 11, 2001
popa3d 0.4.9.4 fixes two bugs introduced with recent development versions (oops). Please update.

September 8, 2001
popa3d 0.4.9.3 now runs parts of its code in a chroot jail. It also adds certain bits of functionality that previously were missing or available as third-party patches only. Please test and report any problems you may have with this development version, especially on less common platforms, as popa3d is approaching a stable release.

August 22, 2001
We're making available our HAL2001 presentation slides on SSH traffic analysis.

August 6, 2001
We've updated our security advisory on Passive Analysis of SSH (Secure Shell) Traffic with additional vendor fix information for TTSSH and for affected Cisco products. The updated advisory includes a bugfixed and improved version of SSHOW, the tiny SSH traffic analysis tool we use to demonstrate the attacks.

June 29, 2001
We've started maintaining a stable branch of Owl, based on Owl 0.1-prerelease. This branch will have all significant reliability and security fixes necessary to use Owl in production - even before its feature set is complete for it to be called 1.0. Another recent addition is the OpenBSD-like change logs for both the current and the stable branch.

June 20, 2001
popa3d 0.4.9.1 has been released. The license for the entire package has been relaxed, and popa3d should be smaller and more portable now. This is due to the new MD5 routines.

May 28, 2001
popa3d 0.4.9 is available for testing. Expect a new stable release soon.

May 12, 2001
After months of development we're making public a prerelease of Owl, our security-enhanced server platform with Linux and GNU software as its core.

May 10, 2001
A new version of the password hashing package, crypt_blowfish 0.4, has been released. It adds two functions and a manual page describing the programming interfaces, including on systems based on the GNU C Library with crypt_blowfish patched into libcrypt.

April 19, 2001
A new development version of John the Ripper (1.6.24-dev) adds a cracker for passwords you may have generated with Strip 0.5. The cracker is implemented in john.conf as an "external mode" and will try all passwords Strip could generate with all possible settings. Other uses of Strip are unaffected. The cracker is based on analysis by Thomas Roessler and Ian Goldberg.

March 26, 2001
Linux 2.2.19-ow1 and 2.0.39-ow3 have been released. Please upgrade to at least one of these versions of the kernel/patch as Linux 2.2.19 is an important security update.

March 19, 2001
We've just published a security advisory entitled Passive Analysis of SSH (Secure Shell) Traffic. This advisory demonstrates several weaknesses in implementations of SSH (Secure Shell) protocols. When exploited, they let the attacker obtain sensitive information by passively monitoring encrypted SSH sessions. Fix information, patches to reduce the impact of traffic analysis, and a tool to demonstrate the attacks are provided.

February 9, 2001
Updated Linux kernel patches have been released, which include fixes for the two recently announced Linux kernel vulnerabilities, both of which can result in a local root compromise.

January 29, 2001
Updated BIND 4.9.x patches have been released, which include fixes for the recently discovered BIND vulnerabilities.