Insufficient salting in the net-ldap Ruby gem
Pierre Carrier
pierre.carrier at airbnb.com
Wed Feb 12 22:02:50 UTC 2014
Hello,
SSHA passwords generated by the net-ldap Ruby gem use a salt between
"0" and "999", only providing 10 bits of entropy.
This is an attack vector, making attacks based on rainbow tables
significantly easier than with a strong salt.
https://github.com/ruby-ldap/ruby-net-ldap/blob/master/lib/net/ldap/password.rb#L29
This E-mail is sent to the current upstream maintainer and all vendors
that distribute a version of that gem.
Your version might not be affected; if not, sorry for the noise.
Best,
--
Pierre Carrier
Site Reliability Engineer, Airbnb
More information about the freebsd-bugbusters
mailing list