On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote: > On Wed, 20 Feb 2013 16:42:56 +1000 > Noel Butler <[email protected]> wrote: > > > On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote: > > > > > > > > > > > > Note he mentioned SHA512, not crypt(). I don't know that this makes > > > a difference on that architecture. > > > > > > > > > But isn't it just a hand off to system crypt() (modern crypt(), not > > the ancient 8 char one), since httpd is limited in native options, > > what it doesn't understand is passes to system crypt() to handle. > > Which remains my point... our current 2.4 and 2.2 candidates should > suffer the same flaw. >
If I get time later I'll put 2.2 on dev box (got a 2.2 config round here somewhere still) and try it for you, heading off to dinner now for a few hours. It certainly appears related to passing to system crypt() though ... If I regenerate my password using old md5crypt - $1$foobaretc it still fails, however, when I change to use the native apache md5 variant - $apr1$foobaretc auth succeeds.
signature.asc
Description: This is a digitally signed message part
