OpenStack Security Advisory

  1. Bug #1901891
  2. Comment #18

Comment 18 for bug 1901891

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/keystone/+/890417
Committed: https://opendev.org/openstack/keystone/commit/1b3536a7a4d72e7f7b95cc1874a450accad3ec8d
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 1b3536a7a4d72e7f7b95cc1874a450accad3ec8d
Author: Dave Wilde (d34dh0r53) <email address hidden>
Date: Wed Feb 9 11:28:59 2022 -0600

    Force algo specific maximum length

    The bcrypt algorithm that we use for password hashing silently
    length limits the size of the password that is hashed giving the
    user a false sense of security [0]. This patch adds a check
    in the verify_length_and_trunc_password function for the hash in
    use and updates the max_length accordingly, this will override
    the configured value and log a warning if the password is truncated.

    Conflicts:
    * tox.ini

    [0]: https://passlib.readthedocs.io/en/stable/lib/passlib.hash.bcrypt.html#security-issues

    Closes-bug: #1901891
    Change-Id: I8d0bb2438b23227b5a66b94af6f8e198084fcd8d
    (cherry picked from commit 3288af579de8ee312c36fb78ac9309ce8c554827)