Ubuntu CVE Tracker

Merge ~alexmurray/ubuntu-cve-tracker:add-yescrypt-to-dump-features into ubuntu-cve-tracker:master

  1. Git
  2. lp:~alexmurray/ubuntu-cve-tracker
  3. add-yescrypt-to-dump-features
  4. Merge into master
Proposed by Alex Murray
Status: Merged
Merged at revision: 1a7a142f249881e51d6f506e9e9bca0b06954fbf
Proposed branch: ~alexmurray/ubuntu-cve-tracker:add-yescrypt-to-dump-features
Merge into: ubuntu-cve-tracker:master
Diff against target: 21 lines (+2/-1)
1 file modified
scripts/dump-features (+2/-1)
Reviewer Review Type Date Requested Status
Steve Beattie Approve
Dimitri John Ledkov Pending
Review via email: mp+454766@code.launchpad.net

Description of the change

See https://chat.canonical.com/canonical/pl/6dxkjz5h1tnrxezbodq7erkmww for background.

To post a comment you must log in.
Revision history for this message
Steve Beattie (sbeattie) wrote :

LGTM. I also updated test-glibc-security to check for yescrypt; there's a couple of issues that I need to sort out there before it can be enabled in lpci.

review: Approve
Revision history for this message
Alex Murray (alexmurray) wrote :

Thanks Steve! I'll wait a day or two to see if we want to bike-shed the proposed text, then will merge if no complaints.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/scripts/dump-features b/scripts/dump-features
2index 9f12fb5..30ca715 100755
3--- a/scripts/dump-features
4+++ b/scripts/dump-features
5@@ -57,7 +57,7 @@ Testing for this can be done with `netstat -an --inet | grep LISTEN | grep -v 12
6 { 'name':'hashing', 'short':'Password hashing',
7 'depth': 1,
8 'desc':
9-'''The system password used for logging into Ubuntu is stored in /etc/shadow. Very old style password hashes were based on DES and visible in /etc/passwd. Modern Linux has long since moved to /etc/shadow, and for some time now has used salted MD5-based hashes for password verification (crypt id 1). Since MD5 is considered "broken" for some uses and as computational power available to perform brute-forcing of MD5 increases, Ubuntu 8.10 and later proactively moved to using salted SHA-512 based password hashes (crypt id 6), which are orders of magnitude more difficult to brute-force. See the [[Manpage:crypt|crypt]] manpage for additional details.
10+'''The system password used for logging into Ubuntu is stored in /etc/shadow. Very old style password hashes were based on DES and visible in /etc/passwd. Modern Linux has long since moved to /etc/shadow, and for some time now has used salted MD5-based hashes for password verification (crypt id 1). Since MD5 is considered "broken" for some uses and as computational power available to perform brute-forcing of MD5 increases, Ubuntu 8.10 and later proactively moved to using salted SHA-512 based password hashes (crypt id 6), which are orders of magnitude more difficult to brute-force. Ubuntu 22.04 LTS and later then moved to yescrypt to provide increased protection against offline password cracking. See the [[Manpage:crypt|crypt]] manpage for additional details.
11
12 See [[https://git.launchpad.net/qa-regression-testing/tree/scripts/test-glibc-security.py|test-glibc-security.py]] for regression tests.
13 ''' },
14@@ -528,6 +528,7 @@ add_status('ports', 'dapper', 'policy', DEFAULT)
15
16 add_status('hashing', 'dapper', 'md5', DEFAULT)
17 add_status('hashing', 'intrepid', 'sha512', DEFAULT)
18+add_status('hashing', 'jammy', 'yescrypt', DEFAULT)
19
20 add_status('syn-cookies', 'warty', 'kernel', AVAILABLE)
21 add_status('syn-cookies', 'jaunty', 'kernel & sysctl', DEFAULT)

Subscribers

People subscribed via source and target branches