First Last Prev Next    This bug is not in your last search results.
Bug 1034591 - (CVE-2017-7252) VUL-0: CVE-2017-7252: Botan: Botans implementation of bcrypt password hashing scheme truncated longpasswords at 56 characters, ...
(CVE-2017-7252)
VUL-0: CVE-2017-7252: Botan: Botans implementation of bcrypt password hashing...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/183662/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-18 09:05 UTC by Marcus Meissner
Modified: 2017-05-08 11:55 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-18 09:05:46 UTC 
CVE-2017-7252

Botan’s implementation of bcrypt password hashing scheme truncated long
passwords at 56 characters, instead of at bcrypt’s standard 72 characters
limit. Passwords with lengths between these two bounds could be cracked more
easily than should be the case due to the final password bytes being ignored.

References
https://botan.randombit.net/security.html#id1
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7252.html
Comment 1 Marcus Meissner 2017-04-18 09:06:52 UTC 
2017-03-23 (CVE-2017-7252): Incorrect bcrypt computation

Botan’s implementation of bcrypt password hashing scheme truncated long passwords at 56 characters, instead of at bcrypt’s standard 72 characters limit. Passwords with lengths between these two bounds could be cracked more easily than should be the case due to the final password bytes being ignored. Found and reported by Solar Designer.

Bug introduced in 1.11.0, fixed in 2.1.0.
Comment 2 Marcus Meissner 2017-04-18 09:15:04 UTC 
sle12 has 1.10.x , so SLE not affected.
Comment 3 Daniel Molkentin 2017-04-25 09:57:17 UTC 
Factory has 1.10.16, and and 2.1.0 is pending for submission to Factory (separate package). Both are unaffected.
Comment 4 Daniel Molkentin 2017-04-25 09:58:46 UTC 
Back to security team for further processing.
Comment 5 Marcus Meissner 2017-05-08 11:55:21 UTC 
if its in factory -> good
First Last Prev Next    This bug is not in your last search results.