From owner-freebsd-stable@FreeBSD.ORG Fri Oct 24 11:14:32 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5FBF5B2E for ; Fri, 24 Oct 2014 11:14:32 +0000 (UTC) Received: from m2j4.x.rootbsd.net (pirzyk.org [IPv6:2607:fc50:1:5900:216:3eff:fe10:3498]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2F43418D for ; Fri, 24 Oct 2014 11:14:32 +0000 (UTC) Received: from [192.168.1.126] (c-50-165-9-144.hsd1.il.comcast.net [50.165.9.144]) (authenticated bits=0) by m2j4.x.rootbsd.net (8.14.7/8.14.7) with ESMTP id s9OBEQmB070268 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Fri, 24 Oct 2014 06:14:28 -0500 (CDT) (envelope-from pirzyk@freeBSD.org) From: Jim Pirzyk Content-Type: multipart/signed; boundary="Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6"; protocol="application/pgp-signature"; micalg=pgp-sha256 Message-Id: Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt Date: Fri, 24 Oct 2014 06:14:20 -0500 References: <201410222107.s9ML7nLC010739@freefall.freebsd.org> To: freebsd-stable@freebsd.org In-Reply-To: <201410222107.s9ML7nLC010739@freefall.freebsd.org> X-Mailer: Apple Mail (2.1878.6) X-Virus-Scanned: clamav-milter 0.98.4 at pirzyk.org X-Virus-Status: Clean X-Spam-Status: No, score=-0.9 required=8.0 tests=ALL_TRUSTED,TW_SV autolearn=unavailable autolearn_force=no version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pirzyk.org X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Oct 2014 11:14:32 -0000 --Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hi, I was wondering if there is more information about this change? FreeBSD = changed the default away from DES to MD5 back in the 1.1.5 -> 2.0 = transition. It seems to me a downgrade and rewarding bad programming to = be changing back to DES now. Also the proper course of action is to = correct programs that make the wrong assumption about what crypt() = changes. Thanks - JimP On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices = wrote: > Signed PGP part > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-EN-14:11.crypt Errata = Notice > The FreeBSD = Project >=20 > Topic: crypt(3) default hashing algorithm >=20 > Category: core > Module: libcrypt > Announced: 2014-10-22 > Affects: FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 = and > before 2014-10-16. > Corrected: 2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2) > 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2) > 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE) > 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4) >=20 > For general information regarding FreeBSD Errata Notices and Security > Advisories, including descriptions of the fields above, security > branches, and the following sections, please visit > . >=20 > I. Background >=20 > The crypt(3) function performs password hashing. Different algorithms > of varying strength are available, with older, weaker algorithms being > retained for compatibility. >=20 > The crypt(3) function was originally based on the DES encryption > algorithm and generated a 13-character hash from an eight-character > password (longer passwords were truncated) and a two-character salt. >=20 > II. Problem Description >=20 > In recent FreeBSD releases, the default algorithm for crypt(3) was > changed to SHA-512, which generates a much longer hash than the > traditional DES-based algorithm. >=20 > III. Impact >=20 > Many applications assume that crypt(3) always returns a traditional = DES > hash, and blindly copy it into a short buffer without bounds checks. = This > may lead to a variety of undesirable results including, at worst, = crashing > the application. >=20 > IV. Workaround >=20 > No workaround is available. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your system to a supported FreeBSD stable or release / = security > branch (releng) dated after the correction date. >=20 > 2) To update your present system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch > # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc > # gpg --verify crypt.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in . >=20 > Restart all deamons using the library, or reboot the system. >=20 > 3) To update your system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > VI. Correction details >=20 > The following list contains the revision numbers of each file that was > corrected in FreeBSD. >=20 > Branch/path = Revision > = ------------------------------------------------------------------------- > stable/9/ = r273425 > releng/9.3/ = r273438 > stable/10/ = r273043 > releng/10.1/ = r273187 > = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > The latest revision of this Errata Notice is available at > http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc >=20 > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to = "freebsd-announce-unsubscribe@freebsd.org" --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $ __o jim@pirzyk.org = -------------------------------------------------- _'\<,_ (*)/ (*) I'd rather be out biking. --Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iFcDBQFUSjSS+2AFq07nokoRCHQtAP4nBn/msYhnsMGA/MZnyI+fjDIco8jwXGZl qim0cNo0gQD/ZcEqf87MEnyfzvHbXMdd94rpsOs6mA5xt45kVbzvnmo= =kfPf -----END PGP SIGNATURE----- --Apple-Mail=_6C668A53-ADFE-48D4-A336-3F2E0CC379E6--