Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:54822 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 94795 invoked from network); 23 Aug 2011 10:52:14 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 23 Aug 2011 10:52:14 -0000 Authentication-Results: pb1.pair.com header.from=hannes.magnusson@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=hannes.magnusson@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.83.42 as permitted sender) X-PHP-List-Original-Sender: hannes.magnusson@gmail.com X-Host-Fingerprint: 74.125.83.42 mail-gw0-f42.google.com Received: from [74.125.83.42] ([74.125.83.42:50937] helo=mail-gw0-f42.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 48/21-20682-D56835E4 for ; Tue, 23 Aug 2011 06:52:13 -0400 Received: by gwb17 with SMTP id 17so4776045gwb.29 for ; Tue, 23 Aug 2011 03:52:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=9LiyWhINraLvgmnTy6Z+/YJ54TvUJwIX7qLfZb+LFnE=; b=XktRdg9WQI4DEowFFjPQW/ads8LTxjD+0kmfit2oNnolhZTA1equpRxSAbJ0z8wRrk Bx7xn+Ayc/0B/CBZmn/XamVfNYVRzfI3Yr64K3f1eVVLmME8IGCPDRFo8c4LUXTZYz9l 1YnrHE8LYqMKti0tl/S21cwVSnzcOawNfb40A= MIME-Version: 1.0 Received: by 10.236.191.74 with SMTP id f50mr21637553yhn.66.1314096730929; Tue, 23 Aug 2011 03:52:10 -0700 (PDT) Received: by 10.147.99.2 with HTTP; Tue, 23 Aug 2011 03:52:10 -0700 (PDT) In-Reply-To: <20110823103056.GA19160@openwall.com> References: <20110719234406.GB28946@openwall.com> <20110822135210.GA14951@openwall.com> <20110822153557.GA15691@openwall.com> <20110823103056.GA19160@openwall.com> Date: Tue, 23 Aug 2011 12:52:10 +0200 Message-ID: To: Solar Designer Cc: Pierre Joye , Ferenc Kovacs , PHP Internals List Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] CRYPT_SHA256 fails tests in trunk From: hannes.magnusson@gmail.com (Hannes Magnusson) On Tue, Aug 23, 2011 at 12:30, Solar Designer wrote: > On Tue, Aug 23, 2011 at 11:31:02AM +0200, Hannes Magnusson wrote: >> Added to http://php.net/security/crypt, and added a link from the >> release announcement and changelog. >> (should show up in an hour or two). > > Thanks. =C2=A0I suggest the following three changes: > > 1. Change the title from "crypt() security fix details" to > CRYPT_BLOWFISH security fix details" to avoid confusion with the > CRYPT_MD5 problem inadvertently introduced in 5.3.7. done > 2. Remove this paragraph: > > BTW, PHP 5.3.7+ has been updated to crypt_blowfish 1.2, not the > intermediate 1.1 release referenced in the previous comment. The > differences between 1.1 and 1.2 include introduction of the > countermeasure for $2a$ mentioned above and the $2y$ prefix. > > which made sense in the bug comments (after a preceding comment), but is > unneeded here. done > > 3. Maybe the URL should be .../crypt_blowfish rather than .../crypt, > since there will definitely be more fixes/changes to PHP's crypt(), some > of which might need their own release notes. =C2=A0It might be too late t= o > make this change, though. done. Added a fallback from /security/crypt to /security/crypt_blowfish for the time being. -Hannes