Note that bcrypt bug was introduced in 1.11.0

Specifically 9644a3ecebb15. So 1.10 was not affected, as it instead throws an exception for passwords longer than 56 chars, which is incompatible with other bcrypt APIs but does not introduce any security problems. [ci skip]
author: Jack Lloyd <[email protected]> 2017-03-28 14:36:19 -0400
committer: Jack Lloyd <[email protected]> 2017-03-28 14:36:19 -0400
commit: 2539683af23a2e16b07ea7f9e5fd42d221f00eba (patch)
tree: 7ea1cacf47e2207b5ef2f1437fb20db9c2ffa74d
parent: 5b0481cb93745c6b56d923698b164d2289559eb5 (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/security.rst b/doc/security.rst
index e6467f675..9ed29ef03 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -23,8 +23,10 @@ https://keybase.io/jacklloyd and on most PGP keyservers.
   Botan's implementation of bcrypt password hashing scheme truncated long
   passwords at 56 characters, instead of at bcrypt's standard 72 characters
   limit. Passwords with lengths between these two bounds could be cracked more
-  easily than should be the case due to the final password bytes being
-  ignored. Found and reported by Solar Designer.
+  easily than should be the case due to the final password bytes being ignored.
+  Found and reported by Solar Designer.
+
+  Bug introduced in 1.11.0, fixed in 2.1.0.
 
 2016
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
author	Jack Lloyd <[email protected]>	2017-03-28 14:36:19 -0400
committer	Jack Lloyd <[email protected]>	2017-03-28 14:36:19 -0400
commit	2539683af23a2e16b07ea7f9e5fd42d221f00eba (patch)
tree	7ea1cacf47e2207b5ef2f1437fb20db9c2ffa74d
parent	5b0481cb93745c6b56d923698b164d2289559eb5 (diff)