Hi Jonathan, > From today's upgrade: > > * Updated blowfish crypt() algorithm fixes the 8-bit character handling > vulnerability (CVE-2011-2483) and adds more self-tests. Unfortunately > this change is incompatible with some old (wrong) generated hashes for > passwords containing 8-bit characters. Therefore the new salt prefix > '$2x$' was introduced which can be used as a replacement for '$2a$' > salt prefix in the password database in case the incompatibility is > found. > > Some minor nitpicks: > > - the asterisk is not needed :)
Sure, but removing it is also not needed :) > - the above seems to take for granted that the reader already knows > about CVE-2011-2483. When discussing the resulting incompatibility, > it would be friendlier to explain what prompted it. I disagree. NEWS items should stick to their core business, and that is informing users of imporant changes that affect their running system. We provide the reference so one can easily Google it if you want to know more backgrounds, but the back story of why this was done is really not all that important. I'd like to keep these entries as brief and straightforward as possible, and don't expand into background information. > - it doesn't actually say what the '$2x$' salt prefix means, or where > one should put it (keeping in mind that some sysadmins may not be > PHP developers). We can extend this part a bit further, yes. It's a pity though that it's already a bit late for that for most upgraders, but I'll change it nonetheless. thanks for your suggestions. Thijs -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
