oss-sec mailing list archives
Re: CVE Request -- Revelation: 1) Limits effective password length to 32 characters 2) Doesn't iterate the passphrase through SHA algorithm to derive the encryption key
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Tue, 19 Jun 2012 15:05:04 -0400 (EDT)
On Mon, 18 Jun 2012, Kurt Seifried wrote:
Assigned 2012 CVE's as the first clear mention of the issues is in the codepoet.no ticket. The Blog entry for 2010 mentions the issue indirectly so I'm going with the more concrete mention.
This is a reasonable approach to take. The year portion of a CVE identifier can't always be associated with the actual year of disclosure, and in this case, it's arguable what counts as "sufficient disclosure" anyway. A couple minutes of investigation is sufficient.
- Steve
Current thread:
- CVE Request -- Revelation: 1) Limits effective password length to 32 characters 2) Doesn't iterate the passphrase through SHA algorithm to derive the encryption key Jan Lieskovsky (Jun 18)
- Re: CVE Request -- Revelation: 1) Limits effective password length to 32 characters 2) Doesn't iterate the passphrase through SHA algorithm to derive the encryption key Kurt Seifried (Jun 18)
- Re: CVE Request -- Revelation: 1) Limits effective password length to 32 characters 2) Doesn't iterate the passphrase through SHA algorithm to derive the encryption key Steven M. Christey (Jun 19)
- Re: CVE Request -- Revelation: 1) Limits effective password length to 32 characters 2) Doesn't iterate the passphrase through SHA algorithm to derive the encryption key Kurt Seifried (Jun 18)