Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20100224173825.GA1761@openwall.com>
Date: Wed, 24 Feb 2010 20:38:25 +0300
From: Solar Designer <solar@...nwall.com>
To: announce@...ts.openwall.com
Subject: [openwall-announce] Linux 2.4.37.9-ow1; tcb 1.0.4; crypt_blowfish 1.0.4; JtR 1.7.4.2-jumbo-3

Hi,

This is to announce four minor updates at once:

1. The Linux 2.4 kernel patch has been updated to Linux 2.4.37.9.  One
of the changes made between 2.4.37.7 and 2.4.37.9 is a security fix for
the e1000 Ethernet driver issue that could have allowed remote attackers
to bypass packet filters (CVE-2009-4536).  The Linux 2.4.37.9-ow1 patch
additionally includes a post-2.4.37.9 fix for FAT filesystems:

http://www.openwall.com/linux/

http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.8
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.9
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4536
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.4.37.y.git;a=commitdiff;h=940716e5206ebda003fca89b4ac1076b1fff5c99

2. We've released version 1.0.4 of our tcb suite (which implements the
alternative password shadowing scheme on Owl).  In this version, a
non-security buffer overflow bug with more than NGROUPS_MAX groups per
user has been fixed.  We do not treat the bug as a security issue
because there's no untrusted user input involved.  Also, the bug is not
even triggerable with typical uses of tcb, where the groups array in
question will be a root user's (perhaps just one group).

http://www.openwall.com/tcb/
http://www.openwall.com/tcb/ChangeLog

3. There's a minor update of crypt_blowfish (version 1.0.4), our public
domain password hashing framework for C/C++.  In this version, the check
for unsupported iteration counts has been corrected to reject certain
iteration counts that would previously be misinterpreted.  Also, section
.note.GNU-stack has been added to the x86 assembly file to avoid the
stack area unnecessarily being made executable on Linux systems that use
this convention.

http://www.openwall.com/crypt/

On a related note, a Python interface to crypt_blowfish by Daniel Holth
has been added to the contributed resources list on the crypt_blowfish
homepage:

http://www.openwall.com/crypt/#contrib

4. Revision 3 of the jumbo patch for JtR 1.7.4.2 has been released,
adding support for cracking NTLMv2 challenge/response exchanges
(contributed by JoMo-Kun), as well as support for Oracle 11g SHA-1 based
hashes (contributed by Alexandre Hamelin):

http://www.openwall.com/john/#contrib
http://www.openwall.com/lists/john-users/2010/02/14/1
http://www.openwall.com/lists/john-users/2010/02/12/2

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.