[php-maint] Bug#632675: php5: NEWS item for CVE-2011-2483 could be clearer

Thijs Kinkhorst thijs at debian.org
Tue Jan 31 13:48:40 UTC 2012

Hi Jonathan,

> From today's upgrade:
>  * Updated blowfish crypt() algorithm fixes the 8-bit character handling
>    vulnerability (CVE-2011-2483) and adds more self-tests.  Unfortunately
>    this change is incompatible with some old (wrong) generated hashes for
>    passwords containing 8-bit characters.  Therefore the new salt prefix
>    '$2x$' was introduced which can be used as a replacement for '$2a$'
>    salt prefix in the password database in case the incompatibility is
>    found.
> Some minor nitpicks:
> - the asterisk is not needed :)

Sure, but removing it is also not needed :)

> - the above seems to take for granted that the reader already knows
>   about CVE-2011-2483.  When discussing the resulting incompatibility,
>   it would be friendlier to explain what prompted it.

I disagree. NEWS items should stick to their core business, and that is
informing users of imporant changes that affect their running system. We
provide the reference so one can easily Google it if you want to know more
backgrounds, but the back story of why this was done is really not all
that important. I'd like to keep these entries as brief and
straightforward as possible, and don't expand into background information.

> - it doesn't actually say what the '$2x$' salt prefix means, or where
>   one should put it (keeping in mind that some sysadmins may not be
>   PHP developers).

We can extend this part a bit further, yes. It's a pity though that it's
already a bit late for that for most upgraders, but I'll change it

thanks for your suggestions.


More information about the pkg-php-maint mailing list