From owner-freebsd-stable@FreeBSD.ORG Fri Oct 24 13:12:07 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 2F4907F7; Fri, 24 Oct 2014 13:12:07 +0000 (UTC) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.81]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E49F9113; Fri, 24 Oct 2014 13:12:06 +0000 (UTC) Received: from smtp.greenhost.nl ([213.108.104.138]) by smarthost1.greenhost.nl with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.72) (envelope-from ) id 1Xheer-0003cZ-9i; Fri, 24 Oct 2014 15:12:03 +0200 Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes To: freebsd-stable@freebsd.org, "Jim Pirzyk" Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt References: <201410222107.s9ML7nLC010739@freefall.freebsd.org> Date: Fri, 24 Oct 2014 15:11:56 +0200 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.17 (Win32) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.2 X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, BAYES_50 autolearn=disabled version=3.3.2 X-Scan-Signature: 72be745e4a817e3b6c39dafddcade14f X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2014 13:12:07 -0000 See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277 Regards, Ronald. On Fri, 24 Oct 2014 13:14:20 +0200, Jim Pirzyk wrote: > Hi, > > I was wondering if there is more information about this change? FreeBSD > changed the default away from DES to MD5 back in the 1.1.5 -> 2.0 > transition. It seems to me a downgrade and rewarding bad programming to > be changing back to DES now. Also the proper course of action is to > correct programs that make the wrong assumption about what crypt() > changes. > > Thanks > > - JimP > > On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices > wrote: > >> Signed PGP part >> ============================================================================= >> FreeBSD-EN-14:11.crypt Errata >> Notice >> The FreeBSD >> Project >> >> Topic: crypt(3) default hashing algorithm >> >> Category: core >> Module: libcrypt >> Announced: 2014-10-22 >> Affects: FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 and >> before 2014-10-16. >> Corrected: 2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2) >> 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE) >> 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4) >> >> For general information regarding FreeBSD Errata Notices and Security >> Advisories, including descriptions of the fields above, security >> branches, and the following sections, please visit >> . >> >> I. Background >> >> The crypt(3) function performs password hashing. Different algorithms >> of varying strength are available, with older, weaker algorithms being >> retained for compatibility. >> >> The crypt(3) function was originally based on the DES encryption >> algorithm and generated a 13-character hash from an eight-character >> password (longer passwords were truncated) and a two-character salt. >> >> II. Problem Description >> >> In recent FreeBSD releases, the default algorithm for crypt(3) was >> changed to SHA-512, which generates a much longer hash than the >> traditional DES-based algorithm. >> >> III. Impact >> >> Many applications assume that crypt(3) always returns a traditional DES >> hash, and blindly copy it into a short buffer without bounds checks. >> This >> may lead to a variety of undesirable results including, at worst, >> crashing >> the application. >> >> IV. Workaround >> >> No workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your system to a supported FreeBSD stable or release / >> security >> branch (releng) dated after the correction date. >> >> 2) To update your present system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch >> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc >> # gpg --verify crypt.patch.asc >> >> b) Apply the patch. Execute the following commands as root: >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile the operating system using buildworld and installworld as >> described in . >> >> Restart all deamons using the library, or reboot the system. >> >> 3) To update your system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that was >> corrected in FreeBSD. >> >> Branch/path >> Revision >> ------------------------------------------------------------------------- >> stable/9/ >> r273425 >> releng/9.3/ >> r273438 >> stable/10/ >> r273043 >> releng/10.1/ >> r273187 >> ------------------------------------------------------------------------- >> >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >> >> Or visit the following URL, replacing NNNNNN with the revision number: >> >> >> >> VII. References >> >> The latest revision of this Errata Notice is available at >> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc >> >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to >> "freebsd-announce-unsubscribe@freebsd.org" > > --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $ > __o jim@pirzyk.org > -------------------------------------------------- > _'\<,_ > (*)/ (*) I'd rather be out biking.