merged SHA512AuthTktAuthenticationPolicy into AuthTktAuthenticationPolicy

AuthTktAuthenticationPolicy now accepts a hashalg parameter and is no
longer deprecated. Docs recommend overriding hashalg and using 'sha512'.

1 files changed, 4 insertions, 18 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 45fc19762..390d3c3e3 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -4,6 +4,10 @@ Next release
 Features
 --------
 
+- ``pyramid.authentication.AuthTktAuthenticationPolicy`` has been updated to
+  support newer hashing algorithms such as ``sha512``. Existing applications
+  should consider updating if possible.
+
 - Added an ``effective_principals`` route and view predicate.
 
 - Do not allow the userid returned from the ``authenticated_userid`` or the
@@ -43,24 +47,6 @@ Bug Fixes
   attribute of the request.  It no longer fails in this case.  See
   https://github.com/Pylons/pyramid/issues/700
 
-Deprecations
-------------
-
-- The ``pyramid.authentication.AuthTktAuthenticationPolicy`` authentication
-  policy is deprecated in Pyramid 1.4 due to its use of the MD5 hashing
-  algorithm, which has known hash collision vulnerabilities.  The risk of an
-  exploit is low.  However, for improved authentication security, use the
-  ``pyramid.authentication.SHA512AuthTktAuthenticationPolicy`` instead.
-  Cookies generated by the AuthTktAuthenticationPolicy are not compatible with
-  cookies generated by the SHA512AuthTktAuthenticationPolicy, however, so
-  switching to the latter will imply that all existing users with a valid
-  cookie will be required to re-login.  The SHA-512 version is not compatible
-  with Apache's mod_auth_tkt either, so if you are relying on that
-  compatibility, you'll want to stick with the MD5 version.
-
-  A deprecation warning is now emitted when the AuthTktAuthenticationPolicy is
-  imported.
-
 Internals
 ---------