Package: apache2-utils Version: 2.2.3-4+etch4 Severity: normal
Version 2.2.3-4+etch4 of apache2-utils contains an `htpasswd` that does this: [EMAIL PROTECTED]:~$ htpasswd -mbn foo bar foo:$apr1$.C9HN...$VJYoF1cM6sqQkjgiltBWA1 [EMAIL PROTECTED]:~$ htpasswd -mbn foo bar foo:$apr1$efQG5/..$nBF0.shj9dPcq9ES/5X4c1 [EMAIL PROTECTED]:~$ htpasswd -mbn foo bar foo:$apr1$/lc/X...$9BYnNWXTOxIgtkwNbY5O4/ The 8-byte factor always ends in '...' or '/..'. Does this restrict the hash space so it can be more easily cracked? The new version in lenny (2.2.9-2) does not have this problem. The 8-byte factor in $1 of / \$apr1\$ (.*?) \$ .* /mxs seems totally random in newer versions. Mark -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (990, 'testing'), (500, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.23.17-linode43 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages apache2-utils depends on: ii lib 1.2.7-8.2 The Apache Portable Runtime Librar ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit ii lib 2.7-10 GNU C Library: Shared libraries ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [ ii lib 1.95.8-3.4 XML parsing C library - runtime li ii lib 2.1.30-13.3 OpenLDAP libraries ii lib 6.7+7.4-4 Perl 5 Compatible Regular Expressi ii lib 8.1.11-0etch1 PostgreSQL C client library ii lib 3.3.8-1.1 SQLite 3 shared library ii lib 0.9.8g-10.1 SSL shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library apache2-utils recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
