Bug#489899: apache2-utils htpasswd bogus compromised md5 factor
Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal
Version 2.2.3-4+etch4 of apache2-utils contains an `htpasswd`
that does this:
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$.C9HN...$VJYoF1cM6sqQkjgiltBWA1
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$efQG5/..$nBF0.shj9dPcq9ES/5X4c1
hedges@foo:~$ htpasswd -mbn foo bar
foo:$apr1$/lc/X...$9BYnNWXTOxIgtkwNbY5O4/
The 8-byte factor always ends in '...' or '/..'.
Does this restrict the hash space so it can be more easily cracked?
The new version in lenny (2.2.9-2) does not have this problem.
The 8-byte factor in $1 of / \$apr1\$ (.*?) \$ .* /mxs seems
totally random in newer versions.
Mark
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (990, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.23.17-linode43
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages apache2-utils depends on:
ii lib 1.2.7-8.2 The Apache Portable Runtime Librar
ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit
ii lib 2.7-10 GNU C Library: Shared libraries
ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [
ii lib 1.95.8-3.4 XML parsing C library - runtime li
ii lib 2.1.30-13.3 OpenLDAP libraries
ii lib 6.7+7.4-4 Perl 5 Compatible Regular Expressi
ii lib 8.1.11-0etch1 PostgreSQL C client library
ii lib 3.3.8-1.1 SQLite 3 shared library
ii lib 0.9.8g-10.1 SSL shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library
apache2-utils recommends no packages.
-- no debconf information
Reply to: