Date: Fri, 24 Oct 2014 15:11:56 +0200 From: "Ronald Klop" <ronald-lists@klop.ws> To: freebsd-stable@freebsd.org, "Jim Pirzyk" <pirzyk@freebsd.org> Subject: Re: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:11.crypt Message-ID: <op.xn8j96kqkndu52@ronaldradial.radialsg.local> In-Reply-To: <F0DAE32B-34CF-4191-9070-A517ACDC6E2A@freeBSD.org> References: <201410222107.s9ML7nLC010739@freefall.freebsd.org> <F0DAE32B-34CF-4191-9070-A517ACDC6E2A@freeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
See: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192277 Regards, Ronald. On Fri, 24 Oct 2014 13:14:20 +0200, Jim Pirzyk <pirzyk@freebsd.org> wrote: > Hi, > > I was wondering if there is more information about this change? FreeBSD > changed the default away from DES to MD5 back in the 1.1.5 -> 2.0 > transition. It seems to me a downgrade and rewarding bad programming to > be changing back to DES now. Also the proper course of action is to > correct programs that make the wrong assumption about what crypt() > changes. > > Thanks > > - JimP > > On Oct 22, 2014, at 4:07 PM, FreeBSD Errata Notices > <errata-notices@freebsd.org> wrote: > >> Signed PGP part >> ============================================================================= >> FreeBSD-EN-14:11.crypt Errata >> Notice >> The FreeBSD >> Project >> >> Topic: crypt(3) default hashing algorithm >> >> Category: core >> Module: libcrypt >> Announced: 2014-10-22 >> Affects: FreeBSD 9.3 and FreeBSD 10.0-STABLE after 2014-05-11 and >> before 2014-10-16. >> Corrected: 2014-10-13 15:56:47 UTC (stable/10, 10.1-PRERELEASE) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC3) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC2-p2) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-RC1-p2) >> 2014-10-16 21:39:04 UTC (releng/10.1, 10.1-BETA3-p2) >> 2014-10-21 21:09:54 UTC (stable/9, 9.3-STABLE) >> 2014-10-21 23:50:46 UTC (releng/9.3, 9.3-RELEASE-p4) >> >> For general information regarding FreeBSD Errata Notices and Security >> Advisories, including descriptions of the fields above, security >> branches, and the following sections, please visit >> <URL:http://security.freebsd.org/>. >> >> I. Background >> >> The crypt(3) function performs password hashing. Different algorithms >> of varying strength are available, with older, weaker algorithms being >> retained for compatibility. >> >> The crypt(3) function was originally based on the DES encryption >> algorithm and generated a 13-character hash from an eight-character >> password (longer passwords were truncated) and a two-character salt. >> >> II. Problem Description >> >> In recent FreeBSD releases, the default algorithm for crypt(3) was >> changed to SHA-512, which generates a much longer hash than the >> traditional DES-based algorithm. >> >> III. Impact >> >> Many applications assume that crypt(3) always returns a traditional DES >> hash, and blindly copy it into a short buffer without bounds checks. >> This >> may lead to a variety of undesirable results including, at worst, >> crashing >> the application. >> >> IV. Workaround >> >> No workaround is available. >> >> V. Solution >> >> Perform one of the following: >> >> 1) Upgrade your system to a supported FreeBSD stable or release / >> security >> branch (releng) dated after the correction date. >> >> 2) To update your present system via a source code patch: >> >> The following patches have been verified to apply to the applicable >> FreeBSD release branches. >> >> a) Download the relevant patch from the location below, and verify the >> detached PGP signature using your PGP utility. >> >> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch >> # fetch http://security.FreeBSD.org/patches/EN-14:11/crypt.patch.asc >> # gpg --verify crypt.patch.asc >> >> b) Apply the patch. Execute the following commands as root: >> >> # cd /usr/src >> # patch < /path/to/patch >> >> c) Recompile the operating system using buildworld and installworld as >> described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. >> >> Restart all deamons using the library, or reboot the system. >> >> 3) To update your system via a binary patch: >> >> Systems running a RELEASE version of FreeBSD on the i386 or amd64 >> platforms can be updated via the freebsd-update(8) utility: >> >> # freebsd-update fetch >> # freebsd-update install >> >> VI. Correction details >> >> The following list contains the revision numbers of each file that was >> corrected in FreeBSD. >> >> Branch/path >> Revision >> ------------------------------------------------------------------------- >> stable/9/ >> r273425 >> releng/9.3/ >> r273438 >> stable/10/ >> r273043 >> releng/10.1/ >> r273187 >> ------------------------------------------------------------------------- >> >> To see which files were modified by a particular revision, run the >> following command, replacing NNNNNN with the revision number, on a >> machine with Subversion installed: >> >> # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >> >> Or visit the following URL, replacing NNNNNN with the revision number: >> >> <URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN>; >> >> VII. References >> >> The latest revision of this Errata Notice is available at >> http://security.FreeBSD.org/advisories/FreeBSD-EN-14:11.crypt.asc >> >> _______________________________________________ >> freebsd-announce@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-announce >> To unsubscribe, send any mail to >> "freebsd-announce-unsubscribe@freebsd.org" > > --- @(#) $Id: dot.signature,v 1.15 2007/12/27 15:06:13 pirzyk Exp $ > __o jim@pirzyk.org > -------------------------------------------------- > _'\<,_ > (*)/ (*) I'd rather be out biking.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.xn8j96kqkndu52>