|
|
Prev week |
Colapse all |
Post message
Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-21 Stephen Frost (sfrost snowman net) Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encryptedpasswords 2005-04-21 Tino Wildenhain (tino wildenhain de) Am Mittwoch, den 20.04.2005, 16:23 -0500 schrieb Jim C. Nasby: > On Wed, Apr 20, 2005 at 05:03:18PM -0400, Tom Lane wrote: ... > Simply put, MD5 is no longer strong enough for protecting secrets. It's > just too easy to brute-force. SHA1 is ok for now, but it's days are > numbered as well. I think i [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-21 Joshua D. Drake (jd commandprompt com) > Simply put, MD5 is no longer strong enough for protecting secrets. It's > just too easy to brute-force. SHA1 is ok for now, but it's days are > numbered as well. I think it would be good to alter SHA1 (or something > stronger) as an alternative to MD5, and I see no reason not to use a > random sal [ more ] [ reply ] [SECURITY] [DSA 701-2] New samba packages fix correct sporadic crash 2005-04-21 joey infodrom org (Martin Schulze) Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-21 Josh Berkus (josh agliodbs com) David, Stephen, > I noted that this was a problem back in August, 2002: > > http://archives.postgresql.org/pgsql-admin/2002-08/msg00253.php > > Then, as now, the developers weren't very concerned. Well, from our perspective, a random salt only protects against a very narrow range of attack types [ more ] [ reply ] MDKSA-2005:074 - Updated gnome-vfs2 packages fix vulnerability 2005-04-21 Mandriva Security Team (security mandriva com) MDKSA-2005:076 - Updated xli packages fix multiple vulnerabilities 2005-04-21 Mandriva Security Team (security mandriva com) [SECURITY] [DSA 713-1] New junkbuster packages fix several vulnerabilities 2005-04-21 joey infodrom org (Martin Schulze) [PLSN-0004] - Buffer overflow in PostgreSQL 2005-04-21 Peachtree Linux Security Team (security peachtree burdell org) ------------------------------------------------------------------------ --- Peachtree Linux Security Notice PLSN-0004 April 20, 2005 Buffer overflow in PL/PGSQL parser allowing database users to run arbitrary code as pgsql user CAN-2005-0245, CAN-2005-0247 ------------------------------------------ [ more ] [ reply ] [PLSN-0002] - Multiple vulnerabilities in Gaim 2005-04-21 Peachtree Linux Security Team (security peachtree burdell org) ------------------------------------------------------------------------ --- Peachtree Linux Security Notice PLSN-0002 April 20, 2005 Multiple remote vulnerabilities in Gaim CAN-2005-0965, CAN-2005-0966, CAN-2005-0967, CAN-2005-0208, CAN-2005-0473, CAN-2005-0472 ------------------------------------- [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Tom Lane (tgl sss pgh pa us) Bruce Momjian <pgman (at) candle.pha.pa (dot) us [email concealed]> writes: > That's what I told him. I think his concern about pre-computed hashes > is the only real issue, and give 'postgres' is usually the super-user, I > can see someone pre-computing md5 postgres hashes and doing quick > comparisons, perhaps as a root kit [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Tom Lane (tgl sss pgh pa us) "Jim C. Nasby" <decibel (at) decibel (dot) org [email concealed]> writes: > Simply put, MD5 is no longer strong enough for protecting secrets. It's > just too easy to brute-force. SHA1 is ok for now, but it's days are > numbered as well. I think it would be good to alter SHA1 (or something > stronger) as an alternative to MD5, [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Jim C. Nasby (decibel decibel org) On Wed, Apr 20, 2005 at 06:03:18PM -0400, Tom Lane wrote: > Well, I have no particular problem with offering SHA1 as an alternative > hash method for those who find MD5 too weak ... but I still question the > value of putting any random salt in the table. AFAICS you would have to > send that salt a [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Bruce Momjian (pgman candle pha pa us) Tom Lane wrote: > "Jim C. Nasby" <decibel (at) decibel (dot) org [email concealed]> writes: > > Simply put, MD5 is no longer strong enough for protecting secrets. It's > > just too easy to brute-force. SHA1 is ok for now, but it's days are > > numbered as well. I think it would be good to alter SHA1 (or something > > stronger) [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Tom Lane (tgl sss pgh pa us) Stephen Frost <sfrost (at) snowman (dot) net [email concealed]> writes: > The md5 hash which is generated for and stored in pg_shadow does not > use a random salt but instead uses the username which can generally be > determined ahead of time (especially for the 'postgres' superuser > account). So? The fact that we en [ more ] [ reply ] Re: [HACKERS] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Jim C. Nasby (decibel decibel org) On Wed, Apr 20, 2005 at 05:03:18PM -0400, Tom Lane wrote: > > This would allow for the pregeneration of the entire md5 > > keyspace using that 'salt' and then quick breakage of the hash once > > it's retrieved by the attacker. > > Considering the size of the possible keyspace, this is pretty [ more ] [ reply ] Linux vsyscalls may be used as attack vectors 2005-04-20 Clad Strife (thadeum gmail com) I send (again !) this e-mail including in attachment an advisory explaining how vsyscalls may be used as powerful attack vectors on Linux 2.6.x kernels. I received many mailer daemon replies for delivery failures in multiple boxes with my last e-mail. I hope this one will be okay. Please, confirm. [ more ] [ reply ] cpio directory traversal vulnerability 2005-04-20 Imran Ghory (imranghory gmail com) ================================ cpio directory traversal vulnerability ================================ Software: cpio Version: cpio 2.6 Software URL: <http://www.gnu.org/software/cpio/> Platform: Unix, Linux. Vulnerability type: Input validation Severity: Medium, local vuln, Can result in privil [ more ] [ reply ] Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 David F. Skoll (dfs roaringpenguin com) Stephen Frost wrote: > The md5 hash which is generated for and stored in pg_shadow does not > use a random salt but instead uses the username which can generally be > determined ahead of time (especially for the 'postgres' superuser > account). I noted that this was a problem back in Augus [ more ] [ reply ] Re: Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Stephen Frost (sfrost snowman net) * David F. Skoll (dfs (at) roaringpenguin (dot) com [email concealed]) wrote: > Stephen Frost wrote: > > The md5 hash which is generated for and stored in pg_shadow does not > > use a random salt but instead uses the username which can generally be > > determined ahead of time (especially for the 'postgres' superuser > > [ more ] [ reply ] PMsoftware mini http server remote stack overflow exploit (IHSTeam) 2005-04-20 c0d3r ihsteam com /* PMsoftware mini http server remote stack overflow exploit author : c0d3r "kaveh razavi" c0d3rz_team (at) yahoo (dot) com [email concealed] c0d3r (at) ihsteam (dot) com [email concealed] package : PMsoftware Web Server version 1.0 advisory :http://www.securiteam.com/windowsntfocus/5TP0B2KFGA.html .......... see the attachment [ more ] [ reply ] Re: Vulnerability in Coppermine Photo Gallery 1.3.* 2005-04-21 nibbler999 users sf net In-Reply-To: <20050418122434.10438.qmail (at) www.securityfocus (dot) com [email concealed]> This issue has been addressed in Coppermine 1.3.3. The release announcement can be found here - http://coppermine.sourceforge.net/board/index.php?topic=17134.0 Thankyou for bringing this to our attention. Nibbler Coppermine Dev Team. [ more ] [ reply ] gzip directory traversal vulnerability 2005-04-20 Imran Ghory (imranghory gmail com) ================================ gzip directory traversal vulnerability ================================ Software: gzip Version: 1.2.4, 1.3.3 Software URL: <http://www.gzip.org> Platform: Unix, Linux. Vulnerability type: Input validation Severity: Medium, local vuln, requires user using gunzip -N [ more ] [ reply ] Postgres: pg_hba.conf, md5, pg_shadow, encrypted passwords 2005-04-20 Stephen Frost (sfrost snowman net) Greetings, There appears to be some deficiencies in both the documentation of the 'md5' authentication methology (in pg_hba.conf) and in the md5 hash generation which is stored in pg_shadow. The md5 hash which is generated for and stored in pg_shadow does not use a random salt but instea [ more ] [ reply ] Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval [x0n3-h4ck] 2005-04-19 CorryL (corryl sitoverde com) Ecommerce-Carts SQL injection vulnerability ( IHSTeam ) 2005-04-19 c0d3r ihsteam com ******************************************** IHS Iran Hackers Sabotage Public advisory by : c0d3r "Kaveh Razavi" c0d3r (at) ihsteam (dot) com [email concealed] ******************************************** ---------------------------------------------------------- advisory url : http://www.ihssecurity.com/cms/modules/mydownlo [ more ] [ reply ] Secure Science Corporation Application Software Advisory 055 2005-04-20 SSC Advisory Notice (bugtraq securescience net) |
|
Privacy Statement |
> "Jim C. Nasby" <decibel (at) decibel (dot) org [email concealed]> writes:
> > Simply put, MD5 is no longer strong enough for protecting secrets. It's
> > just too easy to brute-force. SHA1 is ok for now, but it's days are
> > numbered as well. I think it would be good to alter SHA1 (or so
[ more ] [ reply ]