diff options
| -rw-r--r-- | doc/security.rst | 2 | ||||
| -rw-r--r-- | news.rst | 4 |
2 files changed, 5 insertions, 1 deletions
diff --git a/doc/security.rst b/doc/security.rst index 2a46ca3b2..e6467f675 100644 --- a/doc/security.rst +++ b/doc/security.rst @@ -18,7 +18,7 @@ https://keybase.io/jacklloyd and on most PGP keyservers. 2017 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -* 2017-03-23: Incorrect bcrypt computation +* 2017-03-23 (CVE-2016-7252): Incorrect bcrypt computation Botan's implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt's standard 72 characters @@ -4,6 +4,10 @@ Release Notes Version 2.1.0, Not Yet Released ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +* Fix incorrect truncation in Bcrypt. Passwords in length between 56 + and 72 characters were truncated at 56 characters. Found and + reported by Solar Designer. (CVE-2017-7252) + * Support a 0-length IV in ChaCha stream cipher. Such an IV is treated identically to an 8-byte IV of all zeros. |