BIND / crypt_blowfish Openwall Linux Info

From: Solar Designer
Date: Fri, 15 Nov 2002 10:23:40 +0300
To: announce@lists.openwall.com
Subject: BIND 4.9.10-OW2, crypt_blowfish 0.4.5

Hi,

Yesterday I've put out the BIND 4.9.10-OW2 patch, which includes the patch provided by ISC and thus has the two recently announced vulnerabilities affecting BIND 4 fixed. Previous versions of BIND 4.9.x-OW patches, if used properly, significantly reduced the impact of the "named" vulnerability. The patches (and links to more information on the vulnerabilities) are available at their usual location:

A patch against BIND 4.9.11 will appear as soon as this version is officially released, although it will likely be effectively the same as the currently available 4.9.10-OW2. It hasn't been fully researched whether the resolver code in glibc, and in particular on Openwall GNU/*/Linux (Owl), shares any of the newly discovered BIND 4 resolver library vulnerabilities. Analysis is in progress. Another recent update is crypt_blowfish 0.4.5, available at:

For those who didn't know, this is an implementation of a modern password hashing algorithm, bcrypt, provided via the crypt(3) and a reentrant interface. bcrypt originates in OpenBSD, and now is also used on Owl and a few other Linux distributions. This release corrects the x86-specific assembly code which was in fact not reentrant (a bug), adds a test for proper behavior with multiple threads (such that bugs like this don't get into a release again), and is more careful about zeroing out sensitive data. Of course, it is already in Owl-current (in fact, crypt_blowfish is maintained as a part of Owl).

--
/sd