Thijs Kinkhorst wrote:
> Hi Jonathan,
>> - it doesn't actually say what the '$2x$' salt prefix means, or where
>> one should put it (keeping in mind that some sysadmins may not be
>> PHP developers).
>
> We can extend this part a bit further, yes.
Thanks, Thijs. The patch looks good to me.
Hi Jonathan,
> From today's upgrade:
>
> * Updated blowfish crypt() algorithm fixes the 8-bit character handling
>vulnerability (CVE-2011-2483) and adds more self-tests. Unfortunately
>this change is incompatible with some old (wrong) generated hashes for
>passwords containing 8-bit
Jonathan Nieder wrote:
> I'd suggest stealing as much text as sensible from
> http://seclists.org/oss-sec/2011/q2/632 and going from there. E.g.
Ah, here's a better announcement to steal text from:
http://www.openwall.com/lists/announce/2011/06/21/1
Thanks for your work, and hope that helps.
Package: php5
Version: 5.3.6-13
Severity: minor
Hi,
>From today's upgrade:
* Updated blowfish crypt() algorithm fixes the 8-bit character handling
vulnerability (CVE-2011-2483) and adds more self-tests. Unfortunately
this change is incompatible with some old (wrong) generated hashes f
4 matches
Mail list logo
