[Bug 426513] Re: openssl enc documentation incorrect
It is set to be "-salt" by default. The documentation (enc manpage) says that it is set to be "-nosalt" by default. I am saying that either the documentation or the default option should be changed. -- openssl enc documentation incorrect https://bugs.launchpad.net/bugs/426513 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 426513] [NEW] openssl enc documentation incorrect
Public bug reported: Binary package hint: openssl 1) This affects openssl in Ubuntu 9.04. 2) This affects openssl 0.9.8g-15ubuntu3. 3) The OpenSSL enc(1) man page has this to say about key derivation: -salt use a salt in the key derivation routines. This option should ALWAYS be used unless compatibility with previous versions of OpenSSL or SSLeay is required. This option is only present on OpenSSL versions 0.9.5 or above. -nosalt don't use a salt in the key derivation routines. This is the default for compatibility with previous versions of OpenSSL and SSLeay. I expect that when I enter: $ openssl enc -aes-128-cbc -k foo -P That openssl will return an unsalted key and initialization vector. 4) What I get instead is: salt=<8 byte salt> key=<16 byte key> iv =<16 byte iv> The salt, key, and iv are different each time because openssl is using a salt. If I execute 'openssl enc -aes-128-cbc -nosalt -k foo -P' I get the same key and initialization vector each time, with no salt value in the output (which is what I expect even without using the '-nosalt' option). ** Affects: openssl (Ubuntu) Importance: Undecided Status: New ** Tags: documentation manpage openssl -- openssl enc documentation incorrect https://bugs.launchpad.net/bugs/426513 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 242690] Re: might allow to bypass authentication
Naive question about a bug that was closed a year ago... Can a user do a similar thing with pam_pgsql when changing her password? For example the operator precedence in pam_sm_chauthtok() line 696 is: if ((rc = pam_get_pass(pamh, PAM_OLDAUTHTOK, &pass, PASSWORD_PROMPT, options->std_flags)) == PAM_SUCCESS) { which is identical to the buggy operator precedence being performed in the old version of pam_sm_authenticate(). Is it possible for a malicious user to change a victim's password in this way if pam_pgsql is used and the victim walked away without locking their screen? Reid -- might allow to bypass authentication https://bugs.launchpad.net/bugs/242690 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs