DragonFly BSD
DragonFly users List (threaded) for 2012-05
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

HEADS UP: fix for password truncation when using crypt(3) with DES


From: Aggelos Economopoulos <aoiko@xxxxxxxxxxxxxx>
Date: Wed, 30 May 2012 16:07:28 +0200

The patch just committed to master (258ad0e) fixes CVE-2012-2143. This 
bug manifests for UTF-8 encoded passwords that contain a 0x80 byte (for
instance, the "Ã?" character). This fix restores proper behavior, which 
means that authentication will break for such passwords. To our 
knowledge, nothing in base uses DES for authentication purposes. 
Passwords impacted by this change are likely to be weak because of the 
truncation and should be reset.

Please see the CVE text for more information.

Aggelos




[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]