Date: Fri, 24 Oct 2014 06:14:20 -0500 From: Jim Pirzyk <pirzyk@freeBSD.org> To: freebsd-stable@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt Message-ID: <F0DAE32B-34CF-4191-9070-A517ACDC6E2A@freeBSD.org> In-Reply-To: <201410222107.s9ML7nLC010739@freefall.freebsd.org> References: <201410222107.s9ML7nLC010739@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, I was wondering if there is more information about this change? FreeBSD = changed the default away from DES to MD5 back in the 1.1.5 -> 2.0 = transition. It seems to me a downgrade and rewarding bad programming to = be changing back to DES now. Also the proper course of action is to = correct programs that make the wrong assumption about what crypt() = changes. Thanks - JimP On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices = <errata-notices@freebsd.org> wrote: > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-EN-14:11.crypt Errata = Notice > The FreeBSD = Project >=20 > Topic: crypt(3) default hashing algorithm >=20 > Category: core > Module: libcrypt > Announced: 2014-10-22 > Affects: FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 = and > before 2014-10-16. > Corrected: 2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2) > 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE) > 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4) >=20 > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > <URL:http://security.freebsd.org/>. >=20 > I. Background >=20 > The crypt(3) function performs password hashing. Different algorithms > of varying strength are available, with older, weaker algorithms being > retained for compatibility. >=20 > The crypt(3) function was originally based on the DES encryption > algorithm and generated a 13-character hash from an eight-character > password (longer passwords were truncated) and a two-character salt. >=20 > II. Problem Description >=20 > In recent FreeBSD releases, the default algorithm for crypt(3) was > changed to SHA-512, which generates a much longer hash than the > traditional DES-based algorithm. >=20 > III. Impact >=20 > Many applications assume that crypt(3) always returns a traditional = DES > hash, and blindly copy it into a short buffer without bounds checks. = This > may lead to a variety of undesirable results including, at worst, = crashing > the application. >=20 > IV. Workaround >=20 > No workaround is available. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your system to a supported FreeBSD stable or release / = security > branch (releng) dated after the correction date. >=20 > 2) To update your present system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch > # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc > # gpg --verify crypt.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. >=20 > Restart all deamons using the library, or reboot the system. >=20 > 3) To update your system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > VI. Correction details >=20 > The following list contains the revision numbers of each file that was > corrected in FreeBSD. >=20 > Branch/path = Revision > = ------------------------------------------------------------------------- > stable/9/ = r273425 > releng/9.3/ = r273438 > stable/10/ = r273043 > releng/10.1/ = r273187 > = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > <URL:http://svnweb.freebsd.org/base?view=3Drevision&revision=3DNNNNNN> >=20 > VII. References >=20 > The latest revision of this Errata Notice is available at > http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc >=20 > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org" --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $ __o jim@pirzyk.org = -------------------------------------------------- _'\<,_ (*)/ (*) I'd rather be out biking. --Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iFcDBQFUSjSS+2AFq07nokoRCHQtAP4nBn/msYhnsMGA/MZnyI+fjDIco8jwXGZl qim0cNo0gQD/ZcEqf87MEnyfzvHbXMdd94rpsOs6mA5xt45kVbzvnmo= =kfPf -----END PGP SIGNATURE----- --Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?F0DAE32B-34CF-4191-9070-A517ACDC6E2A>