openSUSE-SU-2011:0921-1: moderate: crypt_blowfish

18 Aug 2011

      openSUSE Security Update: crypt_blowfish
______________________________________________________________________________

Announcement ID:    openSUSE-SU-2011:0921-1
Rating:             moderate
References:         #700876 
Cross-References:   CVE-2011-2483
Affected Products:
                    openSUSE 11.4
                    openSUSE 11.3
______________________________________________________________________________

   An update that fixes one vulnerability is now available. It
   includes one version update.

Description:

   The implementation of the blowfish based password hashing
   method had a bug affecting passwords that contain 8bit
   characters (e.g. umlauts).  Affected passwords are
   potentially faster to crack via brute force methods
   (CVE-2011-2483).

   SUSE's crypt() implementation supports the blowfish
   password hashing function (id $2a) and system logins by
   default also use this method. This update eliminates the
   bug in the $2a implementation. After installing the update
   existing $2a hashes therefore no longer match hashes
   generated with the new, correct implementation if the
   password contains 8bit characters. For system logins via
   PAM the pam_unix2 module activates a compat mode and keeps
   processing existing $2a hashes with the old algorithm. This
   ensures no user gets locked out. New passwords hashes are
   created with the id "$2y" to unambiguously identify them as
   generated with the correct implementation.

   Note: To actually migrate hashes to the new algorithm all
   users are advised to change passwords after the update.

   Services that do not use PAM but do use crypt() to store
   passwords using the blowfish hash do not have such a compat
   mode. That means users with 8bit passwords that use such
   services will not be able to log in anymore after the
   update. As workaround administrators may edit the service's
   password database and change stored hashes from $2a to $2x.
   This will result in crypt() using the old algorithm. Users
   should be required to change their passwords to make sure
   they are migrated to the correct algorithm.

   FAQ:

   Q: I only use ASCII characters in passwords, am I a
   affected in any way? A: No.

   Q: What's the meaning of the ids before and after the
   update? A: Before the update: $2a -> buggy algorithm

   After the update: $2x -> buggy algorithm $2a -> correct
   algorithm $2y -> correct algorithm

   System logins using PAM have a compat mode enabled by
   default: $2x -> buggy algorithm $2a -> buggy algorithm $2y
   -> correct algorithm

   Q: How do I require users to change their password on next
   login? A: Run the following command as root for each user:
   chage -d 0 <username>

   Q: I run an application that has $2a hashes in it's
   password database. Some users complain that they can not
   log in anymore. A: Edit the password database and change
   the "$2a" prefix of the affected users' hashes to "$2x".
   They will be able to log in again but should change their
   password ASAP.

   Q: How do I turn off the compat mode for system logins? A:
   Set BLOWFISH_2a2x=no in /etc/default/passwd

Patch Instructions:

   To install this openSUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - openSUSE 11.4:

      zypper in -t patch glibc-4943

   - openSUSE 11.3:

      zypper in -t patch glibc-4943

   To bring your system up-to-date, use "zypper patch".

Package List:

   - openSUSE 11.4 (i586 i686 x86_64):

      glibc-2.11.3-12.17.1
      glibc-devel-2.11.3-12.17.1

   - openSUSE 11.4 (i586 x86_64):

      glibc-html-2.11.3-12.17.1
      glibc-i18ndata-2.11.3-12.17.1
      glibc-info-2.11.3-12.17.1
      glibc-locale-2.11.3-12.17.1
      glibc-obsolete-2.11.3-12.17.1
      glibc-profile-2.11.3-12.17.1
      libxcrypt-3.0.3-9.10.1
      libxcrypt-devel-3.0.3-9.10.1
      nscd-2.11.3-12.17.1
      pam-modules-11.4-3.4.1
      pwdutils-3.2.14-4.5.1
      pwdutils-plugin-audit-3.2.14-4.5.1
      pwdutils-rpasswd-3.2.14-4.5.1

   - openSUSE 11.4 (x86_64):

      glibc-32bit-2.11.3-12.17.1
      glibc-devel-32bit-2.11.3-12.17.1
      glibc-locale-32bit-2.11.3-12.17.1
      glibc-profile-32bit-2.11.3-12.17.1
      libxcrypt-32bit-3.0.3-9.10.1
      pam-modules-32bit-11.4-3.4.1
      pwdutils-rpasswd-32bit-3.2.14-4.5.1

   - openSUSE 11.3 (i586 i686 x86_64):

      glibc-2.11.2-3.5.1
      glibc-devel-2.11.2-3.5.1

   - openSUSE 11.3 (i586 x86_64) [New Version: 11.3]:

      glibc-html-2.11.2-3.5.1
      glibc-i18ndata-2.11.2-3.5.1
      glibc-info-2.11.2-3.5.1
      glibc-locale-2.11.2-3.5.1
      glibc-obsolete-2.11.2-3.5.1
      glibc-profile-2.11.2-3.5.1
      libxcrypt-3.0.3-5.3.1
      libxcrypt-devel-3.0.3-5.3.1
      nscd-2.11.2-3.5.1
      pam-modules-11.3-0.3.1
      pwdutils-3.2.10-2.3.1
      pwdutils-plugin-audit-3.2.10-2.3.1
      pwdutils-rpasswd-3.2.10-2.3.1

   - openSUSE 11.3 (x86_64) [New Version: 11.3]:

      glibc-32bit-2.11.2-3.5.1
      glibc-devel-32bit-2.11.2-3.5.1
      glibc-locale-32bit-2.11.2-3.5.1
      glibc-profile-32bit-2.11.2-3.5.1
      libxcrypt-32bit-3.0.3-5.3.1
      pam-modules-32bit-11.3-0.3.1
      pwdutils-rpasswd-32bit-3.2.10-2.3.1

References:

   http://support.novell.com/security/cve/CVE-2011-2483.html
   https://bugzilla.novell.com/700876

openSUSE-SU-2011:0921-1: moderate: crypt_blowfish

opensuse-security＠opensuse.org