r601 - in zope-exuserfolder/trunk/debian: . patches
Fabio Tranchitella
kobold at alioth.debian.org
Fri Feb 9 13:28:36 CET 2007
Author: kobold
Date: 2007-02-09 13:28:36 +0100 (Fri, 09 Feb 2007)
New Revision: 601
Removed:
zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff
Modified:
zope-exuserfolder/trunk/debian/changelog
Log:
Preparing the new release.
Modified: zope-exuserfolder/trunk/debian/changelog
===================================================================
--- zope-exuserfolder/trunk/debian/changelog 2007-02-09 12:20:24 UTC (rev 600)
+++ zope-exuserfolder/trunk/debian/changelog 2007-02-09 12:28:36 UTC (rev 601)
@@ -1,3 +1,12 @@
+zope-exuserfolder (0.50.1-7) unstable; urgency=medium
+
+ * debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff:
+ removed, after the introduction of pluggable encryption, the assumptions
+ behind the patch (that the first two characters in 'password' are the
+ encryption salt) seem to not be necesarily true anymore. (Closes: #407836)
+
+ -- Fabio Tranchitella <kobold at debian.org> Fri, 9 Feb 2007 13:27:45 +0100
+
zope-exuserfolder (0.50.1-6) unstable; urgency=low
* debian/po/de.po: added, thanks to Helge Kreutzman. (Closes: #407486)
Deleted: zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff
===================================================================
--- zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff 2007-02-09 12:20:24 UTC (rev 600)
+++ zope-exuserfolder/trunk/debian/patches/bts_229003_Wrong_salt_used_for_authentication.diff 2007-02-09 12:28:36 UTC (rev 601)
@@ -1,41 +0,0 @@
-Subject: Bug#229003: Wrong salt used for authentication in User.py
-From: Guenther Starnberger <gst at sysfrog.org>
-Date: Thu, 22 Jan 2004 08:49:24 +0100
-
-The authenticate method in User.py does use the wrong salt for authentication,
-namely the first two characters of the username (which are also used by the
-encryption method).
-
-This behaviour may be OK for the encryption method (of course a random salt
-would be better), but when used in the authentication method it breaks
-authentication when the username changes (because we don't have the right
-salt anymore).
-
-The salt is also stored as the two first characters of the crypted password,
-which can (should) be used as salt for the authentication instead.
-
-To do this the following line (158) in User.py:
-
-secret=self.cryptPassword(self.name, password)
-
-needs to be replaced by:
-
-secret=self.cryptPassword(people['password'][:2], password)
-
-This bugfix should be fully compatible to the old behaviour (if i haven't any
-errors in my reasoning :).
-
-cu
-/gst
-
---- User.py 2004-02-10 19:45:45.000000000 -0500
-+++ User.py 2004-04-09 23:22:50.000000000 -0400
-@@ -157,7 +157,7 @@
- if remoteAuth:
- return remoteAuth(self.name, password)
- else:
-- secret=self.cryptPassword(self.name, password)
-+ secret=self.cryptPassword(people['password'][:2], password)
- return secret==people['password']
- return None
-
More information about the pkg-zope-commits
mailing list