[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Health-dev] [bug #52020] Missing bcrypt dependency in gnuhealth-setup

From: Luis Falcon
Subject: [Health-dev] [bug #52020] Missing bcrypt dependency in gnuhealth-setup
Date: Thu, 14 Sep 2017 12:07:23 -0400 (EDT)
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0


                 Summary: Missing bcrypt dependency in gnuhealth-setup
                 Project: GNU Health
            Submitted by: meanmicio
            Submitted on: Thu 14 Sep 2017 04:07:22 PM UTC
                Category: Security
                Severity: 3 - Normal
              Item Group: None
                  Status: Confirmed
                 Privacy: Public
             Assigned to: meanmicio
             Open/Closed: Open
         Discussion Lock: Any
                 Release: None
                  Module: gnuhealth-setup



Mathias Behrle noticed that the standard installation for GNU Health
(gnuhealth-setup), is missing the bcrypt package.

Although Tryton fallbacks to SHA1 algorithm for hashing the passwords if it
does not find bcrypt, we recommend to use Bcrypt. 

Bcrypt is a "slow" hash algorithm, thus, makes it harder (from the time point
of view) to brute force attacks, and the penalty from the login user is not
noticeable (specially across the network).

We will release a new version for gnuhealth-setup (3.2.1), which will include
bcrypt in the dependency list.

In the meantime, just install the bcrypt package manually with the *gnuhealth*

gnuhealth $ pip3 install --user bcrypt

Don't forget to restart (no need to update) the Tryton server.

PS: This applies just to the standard / vanilla GNU Health distribution. Those
installations that use pypi packages have already the dependency in place.



Reply to this item at:


  Message sent via/by Savannah

reply via email to

[Prev in Thread] Current Thread [Next in Thread]