httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <...@jaguNET.com>
Subject Re: [VOTE] Release Apache httpd 2.4.4 as GA
Date Wed, 20 Feb 2013 12:06:54 GMT
Should we be including/moving this discussion to dev@apr ?

On Feb 20, 2013, at 3:07 AM, Rainer Jung <rainer.jung@kippdata.de> wrote:

> On 20.02.2013 08:07, William A. Rowe Jr. wrote:
>> On Wed, 20 Feb 2013 16:42:56 +1000
>> Noel Butler <noel.butler@ausics.net> wrote:
>> 
>>> On Tue, 2013-02-19 at 23:31 -0600, William A. Rowe Jr. wrote:
>>> 
>>> 
>>> 
>>>> 
>>>> Note he mentioned SHA512, not crypt().  I don't know that this makes
>>>> a difference on that architecture.
>>>> 
>>> 
>>> 
>>> But isn't it just a hand off to system crypt()  (modern crypt(), not
>>> the ancient 8 char one), since httpd is limited in native options,
>>> what it doesn't understand is passes to system crypt() to handle.
> 
> Yes.
> 
>> Which remains my point... our current 2.4 and 2.2 candidates should
>> suffer the same flaw.
> 
> Indeed, that's likely. Note that Noel uses SHA512, which is supported in
> apr_password_validate(), but for instance not wired in htpasswd. So it
> might not be the most often used password hash in combination with
> httpd. Nevertheless we need to fix.
> 
> I prepared another round of patches t check, what's wrong in
> apr_password_validate. All patches can be applied in srclib/apr-util.
> They are *not* cumulative:
> 
> 1) Undo one change in the password validation function and check whether
> it works then:
> 
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc.patch
> 
> 2) Keep original validation code but ad some debug output to STDERR:
> 
> http://people.apache.org/~rjung/patches/apr-util-password_validate-debug.patch
> 
> 3) Combination of 1) and 2):
> 
> http://people.apache.org/~rjung/patches/apr-util-password_validate-glibc-debug.patch
> 
> All patches only change one file, so if you apply on top of your build
> tree, make will only compile one file and you only need to copy over the
> new .libs/libaprutil-1.so to your httpd installation lib.
> 
> Regards,
> 
> Rainer
> 


Mime
View raw message