On 06/25/2011 12:13 AM, Arpad Ray wrote:
Hi,
I've updated the patches again.
The most significant change is that the shutdown function registers
another shutdown function when it's called, to (almost) ensure that
it's always the last one, and therefore user shutdown functions should
always find
Hi!
On 6/26/11 4:31 PM, Pierre Joye wrote:
hi!
I did not read the report, do you have the details about the breakage?
It could be acceptable in 5.3.
The problem is that if the string has 8-bit chars in it, the hash
ignores certain characters, making the password much less secure and
generat
Hi!
On 6/26/11 4:36 PM, Johannes Schlüter wrote:
If the hash changes everybody who stored encrypted passwords or such
using the old format can't verify them anymore.
The change will be only for 8-bit data though.
My suggestion without looking really deep into these things: Change the
default
>> personally I find that weird, and unintuitive, but changin that in a major
>> or minor version could be changed if we chose to.
> I think it's a behaviour that could be changed in some step like from
> 5.3 to 5.4 or so. Personally I don't think it would influence existing
> implementations much
On Mon, 2011-06-27 at 01:31 +0200, Pierre Joye wrote:
> hi!
>
> I did not read the report, do you have the details about the breakage?
> It could be acceptable in 5.3.
If the hash changes everybody who stored encrypted passwords or such
using the old format can't verify them anymore.
My suggesti
hi!
I did not read the report, do you have the details about the breakage?
It could be acceptable in 5.3.
On Sun, Jun 26, 2011 at 11:37 PM, Stas Malyshev wrote:
> Hi!
>
> On 6/26/11 1:36 AM, Rasmus Lerdorf wrote:
>>
>> See http://seclists.org/oss-sec/2011/q2/632
>> We are using this code in etc/
Hi!
On 6/26/11 1:36 AM, Rasmus Lerdorf wrote:
See http://seclists.org/oss-sec/2011/q2/632
We are using this code in etc/standard/crypt_blowfish.c
I've committed the patch for 5.4/trunk, not sure what to do about 5.3
since there's some BC breakage in the fix for old hashes. See the ML
thread
Hi!
On 6/26/11 1:54 AM, Pierre Joye wrote:
As far as I remember Stas was working on that, Stas?
I wasn't yet doing anything as I was waiting for this matter to come to
official resolution (on the list there, it looks like Solar Designer has
not yet decided which road to take) and then have o
I'd like to support PHP Quality Assurance Team, especially in resolving (and
analyzing) security related issues. So far I've contributed to PHP many times
(consult it with CHANGELOGs (grep for shm or Mateusz Kocielski ;-)), I've also
written Minerva fuzzer in order to uncover bugs in the PHP int
As far as I remember Stas was working on that, Stas?
On Sun, Jun 26, 2011 at 10:36 AM, Rasmus Lerdorf wrote:
> See http://seclists.org/oss-sec/2011/q2/632
> We are using this code in etc/standard/crypt_blowfish.c
>
> End of the day here for me, so if someone could go through that and
> apply the
See http://seclists.org/oss-sec/2011/q2/632
We are using this code in etc/standard/crypt_blowfish.c
End of the day here for me, so if someone could go through that and
apply the patch plus figure out the BC issues with the $2x$ stuff
discussed here: http://seclists.org/oss-sec/2011/q2/636
I would
11 matches
Mail list logo