Insufficient salting in the net-ldap Ruby gem

Pierre Carrier pierre.carrier at
Wed Feb 12 22:02:50 UTC 2014


SSHA passwords generated by the net-ldap Ruby gem use a salt between
"0" and "999", only providing 10 bits of entropy.

This is an attack vector, making attacks based on rainbow tables
significantly easier than with a strong salt.

This E-mail is sent to the current upstream maintainer and all vendors
that distribute a version of that gem.
Your version might not be affected; if not, sorry for the noise.


Pierre Carrier
Site Reliability Engineer, Airbnb

More information about the freebsd-bugbusters mailing list