aboutsummaryrefslogtreecommitdiffstats
path: root/doc
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2017-03-28 14:36:19 -0400
committerJack Lloyd <[email protected]>2017-03-28 14:36:19 -0400
commit2539683af23a2e16b07ea7f9e5fd42d221f00eba (patch)
tree7ea1cacf47e2207b5ef2f1437fb20db9c2ffa74d /doc
parent5b0481cb93745c6b56d923698b164d2289559eb5 (diff)
Note that bcrypt bug was introduced in 1.11.0
Specifically 9644a3ecebb15. So 1.10 was not affected, as it instead throws an exception for passwords longer than 56 chars, which is incompatible with other bcrypt APIs but does not introduce any security problems. [ci skip]
Diffstat (limited to 'doc')
-rw-r--r--doc/security.rst6
1 files changed, 4 insertions, 2 deletions
diff --git a/doc/security.rst b/doc/security.rst
index e6467f675..9ed29ef03 100644
--- a/doc/security.rst
+++ b/doc/security.rst
@@ -23,8 +23,10 @@ https://keybase.io/jacklloyd and on most PGP keyservers.
Botan's implementation of bcrypt password hashing scheme truncated long
passwords at 56 characters, instead of at bcrypt's standard 72 characters
limit. Passwords with lengths between these two bounds could be cracked more
- easily than should be the case due to the final password bytes being
- ignored. Found and reported by Solar Designer.
+ easily than should be the case due to the final password bytes being ignored.
+ Found and reported by Solar Designer.
+
+ Bug introduced in 1.11.0, fixed in 2.1.0.
2016
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^