On Tue, Aug 23, 2011 at 11:31:02AM +0200, Hannes Magnusson wrote: > Added to http://php.net/security/crypt, and added a link from the > release announcement and changelog. > (should show up in an hour or two).
Thanks. I suggest the following three changes: 1. Change the title from "crypt() security fix details" to CRYPT_BLOWFISH security fix details" to avoid confusion with the CRYPT_MD5 problem inadvertently introduced in 5.3.7. 2. Remove this paragraph: BTW, PHP 5.3.7+ has been updated to crypt_blowfish 1.2, not the intermediate 1.1 release referenced in the previous comment. The differences between 1.1 and 1.2 include introduction of the countermeasure for $2a$ mentioned above and the $2y$ prefix. which made sense in the bug comments (after a preceding comment), but is unneeded here. 3. Maybe the URL should be .../crypt_blowfish rather than .../crypt, since there will definitely be more fixes/changes to PHP's crypt(), some of which might need their own release notes. It might be too late to make this change, though. Alexander -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
