Opened 5 months ago
Last modified 3 weeks ago
#61258 new defect (bug)
class-phpass.php uses old '2a' prefix for crypt_blowfish hashes
Reported by: | timrutter | Owned by: | |
---|---|---|---|
Milestone: | Awaiting Review | Priority: | normal |
Severity: | normal | Version: | 5.8 |
Component: | External Libraries | Keywords: | has-patch |
Focuses: | Cc: |
Description
class-phpass.php currently uses the old '2a' prefix for crypt_blowfish hashes
Since PHP 5.3.7 (crypt_blowfish 1.2) the prefix of '2y' has been recommended.
The prefix '$2y$' is used to identify correctly computed hashes from the older potentially weak '$2a$' hashes from CVE-2011-2483
Attachments (1)
Change History (4)
This ticket was mentioned in PR #6593 on WordPress/wordpress-develop by t-rutter.
5 months ago
#1
Updated gensalt_blowfish() to use the prefix '$2y' for PHP versions 5.2.7 and later Added backwards compatible define for PHP_VERSION_ID Removed duplicate PHPDOC comment
Trac ticket: https://core.trac.wordpress.org/ticket/61258
#2
@
5 weeks ago
- Component changed from Security to External Libraries
- Version changed from 6.6 to 5.8
#3
@
3 weeks ago
PHPass is an external library and still externally maintained. This should not be handled here, but reported upstream: https://github.com/openwall/phpass
If this would lead to a new release of the upstream library, WordPress should update (if and when).
class-phpass.patch