URL:
<http://savannah.gnu.org/bugs/?52020>
Summary: Missing bcrypt dependency in gnuhealth-setup
Project: GNU Health
Submitted by: meanmicio
Submitted on: Thu 14 Sep 2017 04:07:22 PM UTC
Category: Security
Severity: 3 - Normal
Item Group: None
Status: Confirmed
Privacy: Public
Assigned to: meanmicio
Open/Closed: Open
Discussion Lock: Any
Release: None
Module: gnuhealth-setup
_______________________________________________________
Details:
Mathias Behrle noticed that the standard installation for GNU Health
(gnuhealth-setup), is missing the bcrypt package.
Although Tryton fallbacks to SHA1 algorithm for hashing the passwords if it
does not find bcrypt, we recommend to use Bcrypt.
Bcrypt is a "slow" hash algorithm, thus, makes it harder (from the time point
of view) to brute force attacks, and the penalty from the login user is not
noticeable (specially across the network).
We will release a new version for gnuhealth-setup (3.2.1), which will include
bcrypt in the dependency list.
In the meantime, just install the bcrypt package manually with the *gnuhealth*
user
gnuhealth $ pip3 install --user bcrypt
Don't forget to restart (no need to update) the Tryton server.
PS: This applies just to the standard / vanilla GNU Health distribution. Those
installations that use pypi packages have already the dependency in place.
Bests
Luis
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/bugs/?52020>
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
