Slashdot Mirror

← Back to Stories (view on slashdot.org)

13-Year-Old Password Security Bug Fixed

Posted by timothy on from the not-13-year-old's dept.

arglebargle_xiv writes "In a sign that many eyes don't really make (security) bugs shallow, a thirteen-year-old password-hashing bug that affects (at least) PHP, some Linux distros (Owl, ALT Linux, SUSE), and a variety of other apps has just been patched. This problem had been present in widely-used code since 1998 without anyone noticing it." Better late than never; reader Trailrunner7 points to this article outlining the dangers of old exploits, given old code for them to toy with.

5 of 130 comments (clear)

  1. At least it was fixed by mangu · · Score: 3, Interesting

    How many bugs are there in commercial software that we don't know?

    What we do know is that there are many exploits for commercial software. The vendors claim that such exploits only exist because that software is more popular, but this does not explain why Apache doesn't have four times more exploits than IIS

    1. Re:At least it was fixed by Anonymous Coward · · Score: 1, Interesting

      Does it matter? Being open source is NOT what makes something secure. Following proper coding practices and being properly configured make a program secure. Open source *may* help a project follow better coding practices... or it may hinder a project by having too many chefs in the kitchen... hard to know.

      But I do know that I'm not going to run some software merely because it is open source. I am going to run it because it has demonstrated security in the past.

      In other words, I go with what has been proven more secure, based upon vulnerability disclosures and compromises, not based upon misplaced trust in strangers auditing open source code for me.

    2. Re:At least it was fixed by Requiem18th · · Score: 3, Interesting

      In all fairness, software is only as secure as the culture behind it. Everybody using PHP knew of this bug for ages, just, nobody gave a damn. Except those who didn't know that also didn't give a damn.

      PHP has never been crazy about security, what else do you expect from a runtime that once let you insert arbitrary variables into the script namespace?

      The few people using PHP who care about security that much are using DIY password management anyway.

      --
      But... the future refused to change.
  2. Not unprecedented by slimjim8094 · · Score: 2, Interesting

    http://www.osnews.com/story/19731/The-25-Year-Old-UNIX-Bug

    These kinds of stories make me nervous, because I always assume that crackers know about these and are using them secretly.

    Though this is obviously not a OSS issue. Were this Windows, it might not have been found at all.

    --
    I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
  3. Umm, It's not an official fix by sdguero · · Score: 4, Interesting

    It appears that whoever wrote the summary didn't read the links they provided:

    "I am going to provide an official fix for crypt_blowfish (likely the one-liner plus added tests). I thought I'd bring the issue up on oss-security sooner rather than later."

    So, the bug appears to have been found today and the developer has a one liner solution but hasn't released a patch. I think the summary did a piss poor job talking about what is affected by the problem too... specifically crypt_blowfish, which i know my company uses for a few things. It is interesting to know that this hash is now far weaker than originally thought until it gets patched (which will prolly take a long time to make it into major distros).

    Anyway, i'm done bitching, definitely a story worthy of /. I just think the summary was trying to tie in too much (old bugs blah blah) and misrepresented the impact and fix.