You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Stefan Fritsch <sf...@sfritsch.de> on 2013/02/20 22:28:07 UTC
apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4 as GA)
[moving to dev@apr, please remove dev@httpd when replying]
On Wednesday 20 February 2013, Noel Butler wrote:
> On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> > Which remains my point... our current 2.4 and 2.2 candidates
> > should suffer the same flaw.
>
> Confirmed, 2.2 candidate suffers same problem
I hope I did not miss this somewhere in the thread, but have you tried
running the apr-util 1.5.1 test suite (i.e. make check)? It has some
checks for apr_password_validate
Re: apr_password_validate (was: [VOTE] Release Apache httpd 2.4.4
as GA)
Posted by Noel Butler <no...@ausics.net>.
On Wed, 2013-02-20 at 22:28 +0100, Stefan Fritsch wrote:
> [moving to dev@apr, please remove dev@httpd when replying]
>
> On Wednesday 20 February 2013, Noel Butler wrote:
> > On Wed, 2013-02-20 at 01:07 -0600, William A. Rowe Jr. wrote:
> > > Which remains my point... our current 2.4 and 2.2 candidates
> > > should suffer the same flaw.
> >
> > Confirmed, 2.2 candidate suffers same problem
>
>
> I hope I did not miss this somewhere in the thread, but have you tried
> running the apr-util 1.5.1 test suite (i.e. make check)? It has some
> checks for apr_password_validate
>
it reports success but...
<snip>
crypt_r returned 'nHZA1rViSldQk'
SUCCESS
testmd4 : SUCCESS
testmd5 : SUCCESS
testcrypto : SUCCESS
testdbd : SUCCESS
testdate : SUCCESS
testmemcache : SUCCESS
testxml : SUCCESS
testxlate : SUCCESS
testrmm : SUCCESS
testdbm : SUCCESS
testqueue : SUCCESS
testreslist : SUCCESS
All tests passed.
it doesn't seem to test for salted md5, let alone shaxxx
NOTE: replying here since I'm not on dev@apr I'll fix that in a minute
though.