Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

13.0.0 Release Notes #3040

Closed
hueniverse opened this issue Feb 1, 2016 · 2 comments
Closed

13.0.0 Release Notes #3040

hueniverse opened this issue Feb 1, 2016 · 2 comments
Assignees
@hueniverse
Labels
breaking changes Change that can breaking existing code release notes Major release documentation
Milestone
13.0.0

Comments

@hueniverse
Copy link
Contributor

hueniverse commented Feb 1, 2016
edited
Loading

Summary

hapi v13.0.0 is a tiny release with a single change to ensure passwords passed internally to the iron module are sufficiently long (a new minimum length of 32 characters). This release will simply assert if short passwords are passed. This is a critical verification as short password are easy to exploit with a brute force.

  • Upgrade time: low - no time to a couple of hours for most users
  • Complexity: low - potentially requires increasing password string length
  • Risk: low - low risk of side effects and no changes to keep track of overall
  • Dependencies: low- applies to a single API call

Thanks to @tomsteele for his help with this release.

Sponsor


The v13.0.0 major release is sponsored by Sideway.

Breaking Changes

  • Requires passwords used to encrypt or sign cookies to be at least 32 character long.

New Features

None.

Bug fixes

None.

Updated dependencies

  • iron from v3.0.1 to v4.0.0
  • statehood from v3.1.0 to v4.0.0

Migration Checklist

Password length

The new requirement will cause invalid configurations to fail with an error that the password string is too short. This is a good thing - you want it to fail because if your password is indeed too short, you are at real risk of being exploited. Because the internal encryption mechanism uses the pbkdf2 algorithm with a single iteration to generate the keys, it is a pretty quick operation. Because the method is called on every incoming request, increasing the iteration count would have a linear negative impact on performance. To avoid that, a long password creates far too many possible password combination for an attacker to try in a timely manner.

Checklist:

  • Check your code for calls to server.state() or connection state configuration for password or sign.password and if present ensure you are passing a string that is at least 32 characters long.
@hueniverse hueniverse added breaking changes Change that can breaking existing code release notes Major release documentation labels Feb 1, 2016
@hueniverse hueniverse self-assigned this Feb 1, 2016
@hueniverse hueniverse added this to the 13.0.0 milestone Feb 1, 2016
@rluba
Copy link
Contributor

rluba commented Feb 1, 2016

The corresponding tag is not yet pushed. Might also be the reason for #3041?

@hueniverse
Copy link
Contributor Author

My vm died while I was away so it probably failed at the end of the publish script. Fixed now. thanks.

@ldesplat ldesplat mentioned this issue Feb 27, 2016
Closed
@ScottDowne ScottDowne mentioned this issue Apr 5, 2016
Merged
@slester slester mentioned this issue Apr 28, 2016
Open
@lock lock bot locked as resolved and limited conversation to collaborators Jan 10, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@hueniverse hueniverse

Labels
breaking changes Change that can breaking existing code release notes Major release documentation
Projects
None yet
Milestone
13.0.0
Development

No branches or pull requests
2 participants
@hueniverse @rluba