[ https://issues.apache.org/jira/browse/HAWQ-865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347572#comment-15347572 ]
ASF GitHub Bot commented on HAWQ-865: ------------------------------------- Github user yaoj2 commented on the issue: https://github.com/apache/incubator-hawq/pull/748 LGTM > Rebase upstream pgcrypto to a newer commit which includes a critical DES > crypt() bug fix > ---------------------------------------------------------------------------------------- > > Key: HAWQ-865 > URL: https://issues.apache.org/jira/browse/HAWQ-865 > Project: Apache HAWQ > Issue Type: Bug > Reporter: Paul Guo > Assignee: Lei Chang > > We'd rebase to the following commit. > commit 932ded2ed51e8333852e370c7a6dad75d9f236f9 > Author: Tom Lane <t...@sss.pgh.pa.us> > Date: Wed May 30 10:53:30 2012 -0400 > Fix incorrect password transformation in contrib/pgcrypto's DES crypt(). > Overly tight coding caused the password transformation loop to stop > examining input once it had processed a byte equal to 0x80. Thus, if the > given password string contained such a byte (which is possible though not > highly likely in UTF8, and perhaps also in other non-ASCII encodings), all > subsequent characters would not contribute to the hash, making the > password > much weaker than it appears on the surface. > This would only affect cases where applications used DES crypt() to encode > passwords before storing them in the database. If a weak password has > been > created in this fashion, the hash will stop matching after this update has > been applied, so it will be easy to tell if any passwords were > unexpectedly > weak. Changing to a different password would be a good idea in such a > case. > (Since DES has been considered inadequately secure for some time, changing > to a different encryption algorithm can also be recommended.) > This code, and the bug, are shared with at least PHP, FreeBSD, and > OpenBSD. > Since the other projects have already published their fixes, there is no > point in trying to keep this commit private. > This bug has been assigned CVE-2012-2143, and credit for its discovery > goes > to Rubin Xu and Joseph Bonneau. -- This message was sent by Atlassian JIRA (v6.3.4#6332)