[jira] [Commented] (HAWQ-865) Rebase upstream pgcrypto to a newer commit which includes a critical DES crypt() bug fix

Thu, 23 Jun 2016 19:31:59 -0700 

    [ 
https://issues.apache.org/jira/browse/HAWQ-865?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15347575#comment-15347575
 ] 

ASF GitHub Bot commented on HAWQ-865:
-------------------------------------

Github user asfgit closed the pull request at:

    https://github.com/apache/incubator-hawq/pull/748


> Rebase upstream pgcrypto to a newer commit which includes a critical DES 
> crypt() bug fix
> ----------------------------------------------------------------------------------------
>
>                 Key: HAWQ-865
>                 URL: https://issues.apache.org/jira/browse/HAWQ-865
>             Project: Apache HAWQ
>          Issue Type: Bug
>            Reporter: Paul Guo
>            Assignee: Lei Chang
>
> We'd rebase to the following commit.
> commit 932ded2ed51e8333852e370c7a6dad75d9f236f9
> Author: Tom Lane <t...@sss.pgh.pa.us>
> Date:   Wed May 30 10:53:30 2012 -0400
>     Fix incorrect password transformation in contrib/pgcrypto's DES crypt().
>     Overly tight coding caused the password transformation loop to stop
>     examining input once it had processed a byte equal to 0x80.  Thus, if the
>     given password string contained such a byte (which is possible though not
>     highly likely in UTF8, and perhaps also in other non-ASCII encodings), all
>     subsequent characters would not contribute to the hash, making the 
> password
>     much weaker than it appears on the surface.
>     This would only affect cases where applications used DES crypt() to encode
>     passwords before storing them in the database.  If a weak password has 
> been
>     created in this fashion, the hash will stop matching after this update has
>     been applied, so it will be easy to tell if any passwords were 
> unexpectedly
>     weak.  Changing to a different password would be a good idea in such a 
> case.
>     (Since DES has been considered inadequately secure for some time, changing
>     to a different encryption algorithm can also be recommended.)
>     This code, and the bug, are shared with at least PHP, FreeBSD, and 
> OpenBSD.
>     Since the other projects have already published their fixes, there is no
>     point in trying to keep this commit private.
>     This bug has been assigned CVE-2012-2143, and credit for its discovery 
> goes
>     to Rubin Xu and Joseph Bonneau.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to