On Wed, Apr 7, 2010 at 6:15 PM, Toby Corkindale <[email protected]> wrote: > So, a while back there was some.. slightly heated.. discussion about > security issues with C-P-A-Password.. or perhaps one of the modules it uses > internally.. in certain cases, if certain options are, or are not, set. Then > it quietened down without any apparent conclusion being reached. > > Now that some time has passed, I wondered if someone could provide a > synopsis of the outcome of these investigations and discussions? > > In short: > * In what circumstances was an attack possible? > ie. What combination of modules, options, auth methods. > * Which versions were vulnerable, and if any, at what version were they > fixed, if any? > * What mitigating factors can be applied to existing systems to reduce > their vulnerability to the attack? > > > Thanks, > Toby >
In my opinion, a non-issue from the start unless you specifically enable the "I want a weak crypt" option. C::P::A defers to Crypt::SaltedHash, which handles everything fine. The ticket is still open because Evan is going to look into it further. You can follow the ticket at https://rt.cpan.org/Public/Bug/Display.html?id=55850 -Jay _______________________________________________ List: [email protected] Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst Searchable archive: http://www.mail-archive.com/[email protected]/ Dev site: http://dev.catalyst.perl.org/
