Package: apache2-utils Version: 2.2.3-4+etch4 Severity: normal According to
https://issues.apache.org/bugzilla/show_bug.cgi?id=31440 and http://www.heise.de/newsticker/meldung/103666/ (sorry german only, but does contain example how to reproduce the problem) htpasswd does weak password salt generation. I was able to reproduce this in apache2-utils from etch as stated above and apache2-utils 2.2.8-1 from lenny. It looks like this: [EMAIL PROTECTED]> htpasswd -nbm user1 pass1; htpasswd -nbm user2 pass2; htpasswd -nbm user3 pass2 ~ user1:$apr1$FdloI/..$ZD62Y2byC.oAk4AtzmYSY1 user2:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/ user3:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/ The password salt, according to the heise newsticker article, that "FdloI/.." in above example is same in all three cases. There is a patch available in above apache bug report. IMHO this should be fixed for unstable and etch. I am not sure about the severity of the report. Since it doesn't introduce a security hole just by installing the package and it doesn't introduce a security hole to get access to POSIX accounts, but it does intruduce some sort of security issue, I marked it as serious. Feel free to change severity as you think is approbiate. -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (500, 'stable'), (1, 'testing') Architecture: i386 (x86_64) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.22-3-amd64 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15) Versions of packages apache2-utils depends on: ii lib 1.2.7-8.2 The Apache Portable Runtime Librar ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [ ii lib 1.95.8-3.4 XML parsing C library - runtime li ii lib 2.1.30-13.3 OpenLDAP libraries ii lib 6.7+7.4-3 Perl 5 Compatible Regular Expressi ii lib 8.1.11-0etch1 PostgreSQL C client library ii lib 3.3.8-1.1 SQLite 3 shared library ii lib 0.9.8c-4etch1 SSL shared libraries ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library apache2-utils recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
