Your message dated Mon, 08 Sep 2008 07:52:21 +
with message-id [EMAIL PROTECTED]
and subject line Bug#489899: fixed in apache2 2.2.3-4+etch6
has caused the Debian Bug report #489899,
regarding apache2-utils htpasswd bogus compromised md5 factor
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [EMAIL PROTECTED]
immediately.)
--
489899: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489899
Debian Bug Tracking System
Contact [EMAIL PROTECTED] with problems
---BeginMessage---
Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal
Version 2.2.3-4+etch4 of apache2-utils contains an `htpasswd`
that does this:
[EMAIL PROTECTED]:~$ htpasswd -mbn foo bar
foo:$apr1$.C9HN...$VJYoF1cM6sqQkjgiltBWA1
[EMAIL PROTECTED]:~$ htpasswd -mbn foo bar
foo:$apr1$efQG5/..$nBF0.shj9dPcq9ES/5X4c1
[EMAIL PROTECTED]:~$ htpasswd -mbn foo bar
foo:$apr1$/lc/X...$9BYnNWXTOxIgtkwNbY5O4/
The 8-byte factor always ends in '...' or '/..'.
Does this restrict the hash space so it can be more easily cracked?
The new version in lenny (2.2.9-2) does not have this problem.
The 8-byte factor in $1 of / \$apr1\$ (.*?) \$ .* /mxs seems
totally random in newer versions.
Mark
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.17-linode43
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages apache2-utils depends on:
ii lib 1.2.7-8.2The Apache Portable Runtime Librar
ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit
ii lib 2.7-10 GNU C Library: Shared libraries
ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [
ii lib 1.95.8-3.4 XML parsing C library - runtime li
ii lib 2.1.30-13.3 OpenLDAP libraries
ii lib 6.7+7.4-4Perl 5 Compatible Regular Expressi
ii lib 8.1.11-0etch1PostgreSQL C client library
ii lib 3.3.8-1.1SQLite 3 shared library
ii lib 0.9.8g-10.1 SSL shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library
apache2-utils recommends no packages.
-- no debconf information
---End Message---
---BeginMessage---
Source: apache2
Source-Version: 2.2.3-4+etch6
We believe that the bug you reported is fixed in the latest version of
apache2, which is due to be installed in the Debian FTP archive:
apache2-doc_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-doc_2.2.3-4+etch6_all.deb
apache2-mpm-event_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-event_2.2.3-4+etch6_i386.deb
apache2-mpm-perchild_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-mpm-perchild_2.2.3-4+etch6_all.deb
apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-prefork_2.2.3-4+etch6_i386.deb
apache2-mpm-worker_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-mpm-worker_2.2.3-4+etch6_i386.deb
apache2-prefork-dev_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-prefork-dev_2.2.3-4+etch6_i386.deb
apache2-src_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2-src_2.2.3-4+etch6_all.deb
apache2-threaded-dev_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-threaded-dev_2.2.3-4+etch6_i386.deb
apache2-utils_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2-utils_2.2.3-4+etch6_i386.deb
apache2.2-common_2.2.3-4+etch6_i386.deb
to pool/main/a/apache2/apache2.2-common_2.2.3-4+etch6_i386.deb
apache2_2.2.3-4+etch6.diff.gz
to pool/main/a/apache2/apache2_2.2.3-4+etch6.diff.gz
apache2_2.2.3-4+etch6.dsc
to pool/main/a/apache2/apache2_2.2.3-4+etch6.dsc
apache2_2.2.3-4+etch6_all.deb
to pool/main/a/apache2/apache2_2.2.3-4+etch6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stefan Fritsch [EMAIL PROTECTED] (supplier of updated apache2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Format: 1.7
Date: Sat, 06 Sep 2008 11:35:16 +0200
Source: apache2
Binary: apache2-utils apache2-prefork-dev apache2