Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:54821
Return-Path: <solar@openwall.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 91619 invoked from network); 23 Aug 2011 10:31:16 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2011 10:31:16 -0000
Authentication-Results: pb1.pair.com smtp.mail=solar@openwall.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=solar@openwall.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain openwall.com designates 195.42.179.200 as permitted sender)
X-PHP-List-Original-Sender: solar@openwall.com
X-Host-Fingerprint: 195.42.179.200 mother.openwall.net  
Received: from [195.42.179.200] ([195.42.179.200:62498] helo=mother.openwall.net)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 04/A0-20682-171835E4 for <internals@lists.php.net>; Tue, 23 Aug 2011 06:31:15 -0400
Received: (qmail 18288 invoked from network); 23 Aug 2011 10:31:10 -0000
Received: from localhost (HELO pvt.openwall.com) (127.0.0.1)
  by localhost with SMTP; 23 Aug 2011 10:31:10 -0000
Received: by pvt.openwall.com (Postfix, from userid 503)
	id 0AC8C2FDA0; Tue, 23 Aug 2011 14:30:56 +0400 (MSD)
Date: Tue, 23 Aug 2011 14:30:56 +0400
To: Hannes Magnusson <hannes.magnusson@gmail.com>
Cc: Pierre Joye <pierre.php@gmail.com>, Ferenc Kovacs <tyra3l@gmail.com>,
	PHP Internals List <internals@lists.php.net>
Message-ID: <20110823103056.GA19160@openwall.com>
References: <20110719234406.GB28946@openwall.com> <CAEZPtU7Rjn5VQm6=Lm0HxNQCjfE6k0j+Lijx6TBcpuE9ZgfRCw@mail.gmail.com> <CAH-PCH74xN1HUjmKWWdsYe=8V=-wm0xCDgmT1K8oEX0y+Hiubw@mail.gmail.com> <20110822135210.GA14951@openwall.com> <CAEZPtU6nzV7s455sVyMK7gbsZJOZ0K8siK2tgKHtyzaCYALehw@mail.gmail.com> <20110822153557.GA15691@openwall.com> <CADNQb0XowY9=PwZ-4FFjKCop1S9u3gwGN_rg4dwpgiWowf-5cw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CADNQb0XowY9=PwZ-4FFjKCop1S9u3gwGN_rg4dwpgiWowf-5cw@mail.gmail.com>
User-Agent: Mutt/1.4.2.3i
Subject: Re: [PHP-DEV] CRYPT_SHA256 fails tests in trunk
From: solar@openwall.com (Solar Designer)

On Tue, Aug 23, 2011 at 11:31:02AM +0200, Hannes Magnusson wrote:
> Added to http://php.net/security/crypt, and added a link from the
> release announcement and changelog.
> (should show up in an hour or two).

Thanks.  I suggest the following three changes:

1. Change the title from "crypt() security fix details" to
CRYPT_BLOWFISH security fix details" to avoid confusion with the
CRYPT_MD5 problem inadvertently introduced in 5.3.7.

2. Remove this paragraph:

BTW, PHP 5.3.7+ has been updated to crypt_blowfish 1.2, not the
intermediate 1.1 release referenced in the previous comment. The
differences between 1.1 and 1.2 include introduction of the
countermeasure for $2a$ mentioned above and the $2y$ prefix.

which made sense in the bug comments (after a preceding comment), but is
unneeded here.

3. Maybe the URL should be .../crypt_blowfish rather than .../crypt,
since there will definitely be more fixes/changes to PHP's crypt(), some
of which might need their own release notes.  It might be too late to
make this change, though.

Alexander