Re: [VOTE] Release Apache httpd 2.4.4 as GA

Wed, 20 Feb 2013 04:54:28 -0800 

On 20.02.2013 13:06, Jim Jagielski wrote:
> Should we be including/moving this discussion to dev@apr ?

I guess so. Strong evidence that the problem sits in
apr_password_validate as part of apu 1.5.1.

Regards,

Rainer

> On Feb 20, 2013, at 3:07 AM, Rainer Jung <rainer.j...@kippdata.de> wrote:
> 
>> On 20.02.2013 08:07, William A. Rowe Jr. wrote:
>>> On Wed, 20 Feb 2013 16:42:56 +1000
>>> Noel Butler <noel.but...@ausics.net> wrote:
>>>
>>>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>>>>
>>>>
>>>>
>>>>>
>>>>> Note he mentioned SHA512, not crypt().  I don't know that this makes
>>>>> a difference on that architecture.
>>>>>
>>>>
>>>>
>>>> But isn't it just a hand off to system crypt()  (modern crypt(), not
>>>> the ancient 8 char one), since httpd is limited in native options,
>>>> what it doesn't understand is passes to system crypt() to handle.
>>
>> Yes.
>>
>>> Which remains my point... our current 2.4 and 2.2 candidates should
>>> suffer the same flaw.
>>
>> Indeed, that's likely. Note that Noel uses SHA512, which is supported in
>> apr_password_validate(), but for instance not wired in htpasswd. So it
>> might not be the most often used password hash in combination with
>> httpd. Nevertheless we need to fix.
>>
>> I prepared another round of patches t check, what's wrong in
>> apr_password_validate. All patches can be applied in srclib/apr-util.
>> They are *not* cumulative:
>>
>> 1) Undo one change in the password validation function and check whether
>> it works then:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
>>
>> 2) Keep original validation code but ad some debug output to STDERR:
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
>>
>> 3) Combination of 1) and 2):
>>
>> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
>>
>> All patches only change one file, so if you apply on top of your build
>> tree, make will only compile one file and you only need to copy over the
>> new .libs/libaprutil-1.so to your httpd installation lib.
>>
>> Regards,
>>
>> Rainer
>>
> 
> 

-- 
kippdata
informationstechnologie GmbH   Tel: 0228 98549 -0
Bornheimer Str. 33a            Fax: 0228 98549 -50
53111 Bonn                     www.kippdata.de

HRB 8018 Amtsgericht Bonn / USt.-IdNr. DE 196 457 417
Geschäftsführer: Dr. Thomas Höfer, Rainer Jung, Sven Maurmann

Reply via email to