On 20.02.2013 08:07, William A. Rowe Jr. wrote: > On Wed, 20 Feb 2013 16:42:56 +1000 > Noel Butler <noel.but...@ausics.net> wrote: > >> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote: >> >> >> >>> >>> Note he mentioned SHA512, not crypt(). I don't know that this makes >>> a difference on that architecture. >>> >> >> >> But isn't it just a hand off to system crypt() (modern crypt(), not >> the ancient 8 char one), since httpd is limited in native options, >> what it doesn't understand is passes to system crypt() to handle.
Yes. > Which remains my point... our current 2.4 and 2.2 candidates should > suffer the same flaw. Indeed, that's likely. Note that Noel uses SHA512, which is supported in apr_password_validate(), but for instance not wired in htpasswd. So it might not be the most often used password hash in combination with httpd. Nevertheless we need to fix. I prepared another round of patches t check, what's wrong in apr_password_validate. All patches can be applied in srclib/apr-util. They are *not* cumulative: 1) Undo one change in the password validation function and check whether it works then: http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch 2) Keep original validation code but ad some debug output to STDERR: http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch 3) Combination of 1) and 2): http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch All patches only change one file, so if you apply on top of your build tree, make will only compile one file and you only need to copy over the new .libs/libaprutil-1.so to your httpd installation lib. Regards, Rainer
