On Tue, Aug 23, 2011 at 12:30, Solar Designer <so...@openwall.com> wrote: > On Tue, Aug 23, 2011 at 11:31:02AM +0200, Hannes Magnusson wrote: >> Added to http://php.net/security/crypt, and added a link from the >> release announcement and changelog. >> (should show up in an hour or two). > > Thanks. I suggest the following three changes: > > 1. Change the title from "crypt() security fix details" to > CRYPT_BLOWFISH security fix details" to avoid confusion with the > CRYPT_MD5 problem inadvertently introduced in 5.3.7.
done > 2. Remove this paragraph: > > BTW, PHP 5.3.7+ has been updated to crypt_blowfish 1.2, not the > intermediate 1.1 release referenced in the previous comment. The > differences between 1.1 and 1.2 include introduction of the > countermeasure for $2a$ mentioned above and the $2y$ prefix. > > which made sense in the bug comments (after a preceding comment), but is > unneeded here. done > > 3. Maybe the URL should be .../crypt_blowfish rather than .../crypt, > since there will definitely be more fixes/changes to PHP's crypt(), some > of which might need their own release notes. It might be too late to > make this change, though. done. Added a fallback from /security/crypt to /security/crypt_blowfish for the time being. -Hannes -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
