On 20.02.2013 13:06, Jim Jagielski wrote: > Should we be including/moving this discussion to dev@apr ?
I guess so. Strong evidence that the problem sits in apr_password_validate as part of apu 1.5.1. Regards, Rainer > On Feb 20, 2013, at 3:07 AM, Rainer Jung <rainer.j...@kippdata.de> wrote: > >> On 20.02.2013 08:07, William A. Rowe Jr. wrote: >>> On Wed, 20 Feb 2013 16:42:56 +1000 >>> Noel Butler <noel.but...@ausics.net> wrote: >>> >>>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote: >>>> >>>> >>>> >>>>> >>>>> Note he mentioned SHA512, not crypt(). I don't know that this makes >>>>> a difference on that architecture. >>>>> >>>> >>>> >>>> But isn't it just a hand off to system crypt() (modern crypt(), not >>>> the ancient 8 char one), since httpd is limited in native options, >>>> what it doesn't understand is passes to system crypt() to handle. >> >> Yes. >> >>> Which remains my point... our current 2.4 and 2.2 candidates should >>> suffer the same flaw. >> >> Indeed, that's likely. Note that Noel uses SHA512, which is supported in >> apr_password_validate(), but for instance not wired in htpasswd. So it >> might not be the most often used password hash in combination with >> httpd. Nevertheless we need to fix. >> >> I prepared another round of patches t check, what's wrong in >> apr_password_validate. All patches can be applied in srclib/apr-util. >> They are *not* cumulative: >> >> 1) Undo one change in the password validation function and check whether >> it works then: >> >> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch >> >> 2) Keep original validation code but ad some debug output to STDERR: >> >> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch >> >> 3) Combination of 1) and 2): >> >> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch >> >> All patches only change one file, so if you apply on top of your build >> tree, make will only compile one file and you only need to copy over the >> new .libs/libaprutil-1.so to your httpd installation lib. >> >> Regards, >> >> Rainer >> > > -- kippdata informationstechnologie GmbH Tel: 0228 98549 -0 Bornheimer Str. 33a Fax: 0228 98549 -50 53111 Bonn www.kippdata.de HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417 Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann