| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 1 Feb 2010 12:55:34 +1100 (EST) From: Damien Miller <djm@...drot.org> To: bugtraq@...urityfocus.com Subject: Advisory: jBCrypt < 0.3 character encoding vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 jBCrypt security advisory ========================= jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing algorithm, as described in "A Future-Adaptable Password Scheme" by Niels Provos and David Mazieres (USENIX, 1999). Versions of jBCrypt before 0.3 suffered from a bug related to character encoding that substantially reduced the entropy of hashed passwords containing non US-ASCII characters. An incorrect encoding step transparently replaced such characters by '?' prior to hashing. In the worst case of a password consisting solely of non-US-ASCII characters, this would cause its hash to be equivalent to all other such passwords of the same length. jBCrypt-0.3, available from http://www.mindrot.org/projects/jBCrypt/ fixes this bug. Please note that passwords containing international characters that were hashed using a previous version of jBCrypt will not verify using jBCrypt-0.3. This may necessitate re-hashing of such passwords. This bug was responsibly disclosed by Aliaksandr Radzivanovich. Damien Miller <djm@...drot.org> February 1, 2010 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (OpenBSD) iD8DBQFLZjRjzo7LA4b/nEgRAlz9AJ9gBiRpX5UulfKIkaKthmG00dOxKgCdFYt6 pFhxXEcnqmWIeuo1ykT4nl4= =WKbk -----END PGP SIGNATURE-----
Powered by blists - more mailing lists